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Abstract 

We present computationally efficient error-correcting codes and holographic proofs. Our 
error-correcting codes are asymptotically good and can be encoded and decoded in linear 
time. Our construction of holographic proofs provide, for every proof of any theorem, a 
slightly larger "holographic" proof whose accuracy can be probabilistically checked by an 
algorithm that only reads a constant number of the bits of the holographic proof and runs 
in poly-logarithmic time (such proofs have also been called "transparent proofs" and "prob- 
abilistically checkable proofs"). We explain how these constructions are related and how 
improvements of these constructions should result in a strengthening of this relationship. 

For every constant r such that < r < 1, we construct an infinite family of systematic 
linear block error-correcting codes that have an encoding circuit with a linear number of 
wires. There is a constant e > and a linear-time decoding algorithm for these codes that 
maps every word of relative distance at most e from a codeword to that codeword. The 
encoding circuits have logarithmic depth. The decoding algorithm can be implemented as 
a circuit with O(ralogra) wires and logarithmic depth. These constructions make use of 
explicit constructions of expander graphs and superconcentrators. 

Our constructions of holographic proofs improve on the theorem PCP(log ra, 1) = NP, 
proved by Arora, Lund, Motwani, Sudan, and Szegedy, by providing, for every e > 0, 
constant-query checkable proofs of size 0(n 1+e ). That is, we design a probabilistic poly- 
logarithmic time proof checking algorithm that takes two inputs: a theorem candidate and a 
proof candidate. After reading a constant number of bits from each input, the proof checker 
decides whether to accept or reject its inputs. For every rigorous proof of length n of any 
theorem, there is an easily computable holographic proof of that theorem of size 0{n 1+e ) 
such that, with probability one, the proof checker will accept the holographic proof and 
an encoding of the theorem. Conversely, if the proof checker accepts a theorem candidate 
and a proof candidate with probability greater than one-half, then the theorem candidate 
is close to a unique encoding of a true theorem and the proof candidate constitutes a proof 
of that theorem. 
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Chapter 1 



Introduction 



Mathematical studies of proofs and error-correcting codes played an important role in the 
development of theoretical computer science. In this dissertation, we develop ideas from 
theoretical computer science and apply them to the construction of error-correcting codes 
and proofs. Our goal is to construct error-correcting codes that can be encoded and decoded 
and proofs that can be verified as efficiently as possible. The error-correcting codes that we 
build are the first known asymptotically good family of error-correcting codes that can be 
encoded and decoded in linear time. Our construction of holographic proof systems enables 
one to transform any rigorous proof system into one whose proofs, while only slightly longer, 
can be probabilistically checked by the examination of only a constant number of their bits. 
We conclude by explaining how these constructions of error-correcting codes and holographic 
proofs are related. 

1.1 Error-correcting codes 

Error-correcting codes were introduced to deal with a fundamental problem in commu- 
nication: when a message is sent from one place to another, it is often distorted along 
the way. An error-correcting code provides a systematic way of adding information to a 
message so that even if part of the message is corrupted in transmission, the receiver can 
nevertheless figure out what the sender intended to transmit. Naturally, the probability 
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that the receiver can recover the original message decreases as the amount of distortion 
increases. Similarly, the amount of distortion that the receiver can tolerate increases as 
more redundant information is added to the transmitted message. 

In his seminal 1948 paper, A Mathematical Theory of Communication, Shannon [Sha48] 
proved tight bounds on the amount of redundancy needed to tolerate a given amount of cor- 
ruption in discrete communication channels. Shannon modeled the communication problem 
as a situation in which one is trying to send information from a source to a destination over a 
channel that occasionally becomes corrupted by noise (See Figure 1-1). Shannon described 
a coding scheme in which the transmitter breaks the original message into pieces, adds some 
redundant information to each piece to form a codeword, and then sends the codewords. 
The codewords are chosen so that if the received signal does not differ too much from the 
sent signal, the receiver will be able to remove the distortion from the received signal, fig- 
ure out which codeword was sent, and pass the corrected message on to the destination. 
Shannon defined a notion called the capacity of a channel, which decreases as the amount 
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Figure 1-1: Shannon's schematic of a communication system. 



of noise on the channel increases, and demonstrated that it is impossible to reliably send 
information from the source to the destination at a rate that exceeds the capacity of the 
channel. Thus, the capacity of the channel determines how much redundant information 
the transmitter needs to add to each piece of a message. Remarkably, Shannon was able 
to demonstrate that there is a coding scheme that enables one to reliably send information 
from the source to the destination at any rate lower than the capacity. Moreover, using 
such a coding scheme, one can arbitrarily reduce the probability that a message will fail to 
reach the destination without adding any extra redundant information: one need merely 
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increase the size of the pieces into which the message is broken. 

But, there was a catch. While Shannon demonstrated that it is possible to encode longer 
and longer pieces of messages, he did not present a efficient means for doing so. Thus, the 
study of error-correcting codes was born in an attempt to find coding schemes that approx- 
imate the performance promised by Shannon and to find efficient implementations of these 
coding schemes. In this thesis, we present the first such coding scheme in which the compu- 
tational effort needed to encode and decode corrupted codewords is strictly proportional to 
the length of the codewords. This enables us to arbitrarily reduce the probability of error in 
communication without decreasing the rate of transmission or increasing the computational 
work required. 

1.2 The purpose of proofs 

When we construct error-correcting codes, we are concerned with the transmission of a 
message, but we ignore its content. In the second part of this thesis, we explore how a 
receiver can become convinced that a message has a particular content while only reading 
a small portion of the message. 1 We formalize this by requiring that the message be a 
demonstration of some fact, and we consider the content of the message to be the truth of 
that fact. That is, we treat the message as a proof. 

A proof is the means by which one mathematician demonstrates the truth of an assertion 
to another. Ideally, it should be much easier for the other to become convinced of the truth 
of the assertion by reading a proof of it than by attempting to derive the veracity of the 
assertion from scratch. Thus, we view a proof as a labor-saving device: by providing proofs, 
we provide others with the fruits of our labor, but spare them its pains 2 . By including extra 
details and background material, we make our proofs accessible to a broader audience. If 
we supply sufficient detail, then one almost completely ignorant of mathematics should be 
able to check the veracity of our claims. 

In principle, any mathematical claim and accompanying proof can be expressed using 



'Some may try to do this by reading only the introduction of the message, but one cannot be sure that 
the body will fulfill the promises made in the introduction. 
We hope that this dissertation achieves this goal. 
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a few axioms and a simple calculus. The verifier of such a proof need only be able to 
check that certain simple string operations are performed correctly and that strings have 
been faithfully copied from one part of the proof to another. By making the proofs slightly 
longer, it is possible to construct formats for proofs in which the verifier only needs to check 
that a collection of pre-specified conditions are met, each of which only involves a constant 
number of bits of the proof. At this point, it seems that we have made the task of the 
verifier as simple as is conceivably possible. But, by allowing for a little uncertainty, we can 
make it even simpler. 

The complexity class non-deterministic polynomial time, usually called NP, roughly 
captures the set of facts that have proofs whose size is polynomial in the length of their 
statement. Similarly, the class non-deterministic exponential time, NEXP, captures the set 
of facts that have proofs whose size is exponential in the size of the statement of the fact. 
In their proof that NEXP = MIP, Babai, Fortnow, and Lund [BFL91] demonstrated that 
it is possible to probabilistically verify the truth of one of these exponentially long proofs 
while only reading a polynomial number of the bits of the proof. Without reading the whole 
proof, the verifier cannot be certain that it is true. But, by reading a small portion of the 
proof, the verifier can be very confident that it is true. That is, the verifier will always 
accept a correct proof of a true statement; but, if the verifier examines a purported proof 
of a false statement, then the verifier will reject the purported proof with high probability. 

The following year, Babai, Fortnow, Levin, and Szegedy [BFLS91] explained how sim- 
ilar techniques could be combined with some new ideas to construct transparent proofs of 
any mathematical statement. Their transparent proof of a statement was only slightly 
longer than the formal proof from which it was derived, but it could be probabilistically 
verified in time poly-logarithmic (very small) in the size of the proof and the degree of 
confidence desired. In a related series of papers by Feige, Goldwasser, Lovasz, Safra, 
and Szegedy [FGL+91], Arora and Safra [AS92b], and Arora, Lund, Motwani, Sudan, and 
Szegedy [ALM + 92], proofs were created that could be probabilistically verified by exam- 
ining only a constant number of randomly chosen bits of the proof. 3 However, the size of 



These types of proofs have gone by the names transparent proofs, probabilistically checkable proofs, and 
holographic proofs. We prefer the name holographic proofs, introduced by Levin, because, as in a hologram, 
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these proofs was at least quadratic in the size of the original proofs. 

We construct proofs that combine the advantages of being nearly linear in the size of 
the original proofs and having verifiers that run in poly-logarithmic time and read only a 
constant number of bits of the proof. 

Note that we do not advocate the use of such proof systems by practicing mathemati- 
cians. A mathematician is rarely satisfied with merely knowing that a fact is true. The 
excitement of mathematics lies in understanding why. While one might obtain such an 
understanding by reading a holographic proof, it would be much simpler to read a proof 
written in plain language designed for easy comprehension. We study holographic proofs 
both because we want to find out how little work one need do to verify a fact and because, 
in the process of studying this fundamental question, we obtain results that have important 
implications in other areas. 

Among the techniques used to construct and analyze holographic proofs, we would like to 
point out the importance of those derived from the study of: checkable, self-testable/self- 
correctable, and random-self-reducible functions [BK89, RS92, BLR90, Rub90, GLR + 91, 
GS92, Lip91, BF90, Sud92, She91]; techniques for reducing our dependence on random- 
ness [IZ89, Zuc91]; interactive proofs [Bab85, BM88, GMR89, GMR85, B0GKW88, FRS88, 
LFKN90, Sha90, FL92, LS91, BFL91]; and error-correcting codes [GS92, BW, BFLS91]. 
Through many of these works one finds a common algebraic thread inspired by the work of 
Schwartz [Sch80]. The crux of our construction of holographic proofs is a purely algebraic 
statement — Theorem 4.2.19. 

The main application of constructions of holographic proofs has been to prove the hard- 
ness of finding approximate solutions to certain optimization problems. Notable papers 
in this direction include [PY91, FGL+91, AS92b, ALM+92, LY94, Zuc93, BGLR93, F94, 
BS94, ABSS93]. Holographic proofs have also been applied to problems in many areas of 
complexity theory [CFLS93, CFLS94, Kil92, Kil94, Mic94, KLR+94]. While not properly an 
application of holographic proof technology, our constructions of error-correcting codes were 



each bit of information in a holographic proof is reflected in the entire structure. Some authors reserve the 
term probabilistically checkableiov proof systems in which the proof checker reads the statement to be proved 
and use transparent or holographic to describe systems in which the statement of the theorem to be proved 
is encoded so that the proof checker only needs to read a constant number of its bits. 
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inspired by these proofs. They were born of an attempt to find an alternative construction 
of holographic proofs, and we hope that they one day aid in this effort. 

1.3 Structure of this thesis 

We begin in Section f .4 with an introduction to the field of error-correcting codes from the 
perspective of this complexity theorist. In Section 1.5, we describe some of what is known 
about the complexity of error-correcting codes. The goal of this introduction is to provide 
a context for the results in Chapters 2 and 3. 

Chapters 2 and 3 are devoted to our construction of linear-time encodable and decodable 
error-correcting codes. In Chapter 2, we describe a construction of codes that can be 
decoded in linear time, but for which we only know quadratic-time encoding algorithms. 
These codes can also be decoded in logarithmic time by a linear number of processors. In this 
chapter, we introduce many of the techniques that we will use in Chapter 3. In particular, 
we present a relation between expander graphs and error-correcting codes. Along the way, 
we survey some of what is known about expander graphs. As we feel that these codes 
might be useful for coding on write-once media, we conclude the chapter by presenting 
some thoughts on how one might go about implementing these codes. 

In Chapter 3, we present our construction of linear-time encodable and decodable error- 
correcting codes. These codes can also be encoded and decoded in logarithmic time with 
a linear number of processors. We call these codes super-concentrator codes because their 
encoding circuits bear a strong resemblance to superconcentrators. As part of our construc- 
tion, we develop a type of code that we call an error-reducing code. An error-reducing code 
enables one to quickly remove most of the errors from a corrupted codeword, but it need 
not allow full error-correction. We construct superconcentrator codes by carefully piecing 
together appropriately chosen error-reducing codes. Again, we conclude this chapter with 
some thoughts on how one might implement these codes and on how they could be improved. 

Chapter 4 is devoted to our construction of nearly linear size holographic proofs. This 
Chapter is somewhat more involved than Chapters 2 and 3, but it should be intelligible 
to the reader with a reasonable background in theoretical computer science. We begin by 
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describing holographic proofs and by defining some of the types of error-correcting codes 
that they are related to. A potentially useful type of error-correcting code derived from 
holographic proofs is a checkable code. Checkable codes have associated randomized algo- 
rithms that, after examining only a constant number of randomly chosen bits of a received 
word, can make a good estimation of the probability that a decoder will successfully decode 
the word. One could use such an algorithm to decide whether to request the retransmis- 
sion of a word even before the decoder has worked on it. In Section 4.2, we develop the 
algebraic machinery that we will need to construct our holographic proofs. We show that 
certain polynomial codes are somewhat checkable and verifiable. These codes are used in 
Section 4.3 to construct our basic holographic proof system. We apply this system to itself 
recursively to construct our efficient holographic proofs. In the final sections, we present 
a few variations of our construction, each more powerful, but more complicated, than the 
previous. 

In the last chapter of this thesis, we explain some of the connections between our con- 
structions of error-correcting codes and holographic proofs. We explain the similarities 
between expander codes and the checkable codes derived from holographic proofs. We also 
discuss whether checkable codes are a necessary component of holographic proofs. Our 
conclusion is that the problems of constructing more efficient checkable codes, holographic 
proofs, and expander codes are strongly linked, and could even have the same solution. 
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1.4 An introduction to error-correcting codes 

The purpose of this section is to provide the reader with a convenient reference for the basic 
definitions from the field of error-correcting codes that we will use in this thesis. Those who 
understand the phrase "asymptotically good family of systematic linear error-correcting 
codes" can probably skip this section. 

Intuitively, a good error-correcting code is a large set of words such that each pair differs 
in many places. Let X be a finite alphabet with q letters. A code of length n over X is a 
subset of Y," . Throughout most of Chapters 2 and 3, we will discuss codes over the alphabet 
{0, 1}, which are called binary codes. Unless otherwise stated, all the codes that we discuss 
should be assumed to be binary. 

Two important parameters of a code are its rate and minimum distance. The rate of a 
code C is (log |C|)/n. The rate indicates how much information is contained, on average, 
in each code symbol. The minimum distance of a code C is 

min d(x, y), 

**y 

where d(x,y) is the Hamming-distance between two words (i.e., the number of places in 
which they differ). We will usually talk about the relative minimum distance of a code, 
d(x,y)/n. 

Since we are interested in the asymptotic performance of codes, we define a family of 
error- correcting codes to be an infinite sequence of error-correcting codes that contains at 
most one code of any length. If {C 8 -} is a family of error-correcting codes such that, for all 
i, the rate of C 8 - is greater than r, then we say that the family has rate at least r. Similarly, 
if the relative minimum distance of each code in the family is at least 8, then we say that 
the relative minimum distance of the family is at least 8. An infinite family of codes over 
a fixed alphabet is called asymptotically good if there exist positive constants r and 8 such 
that the family has rate and relative minimum distance at least r and 8 respectively. 4 A 
central problem of coding theory has been to find explicit constructions of asymptotically 



We will occasionally say good code when we mean asymptotically good code. 



1.4 An introduction to error-correcting codes 21 

good families of error-correcting codes with as large rate and relative minimum distance as 
possible. 

The preceding definitions are standard. We will now make some less standard definitions 
that will help us discuss the complexity of encoding and decoding error-correcting codes. 

An encoding function for a code C of rate r is a bijection 

/: S™ ->C. 

We say that an encoding function is systematic if there exist indices i l7 . . . , i rn such that for 

all x == \x-y^...^x rn ) £ 2-i , 

\Xi 7 . . . , X rn ) — yJyXji l7 . . . , J\X )i rn )- 

That is, the message is embedded in the codeword. If a code has a systematic encoding 
function, then we say that the code is systematic. We can think of a systematic code as 
being divided into rn "message symbols" and (1 — r)n "check symbols". The check symbols 
are uniquely determined by the message symbols, and we can view the message symbols 
as containing the information content of the codeword (in a binary code, we will call these 
message bits and check bits). 

An error- correcting function for a code C is a function 

ff:S"-CU{?} 

such that g{x) = x, for all x £ C. We say that an error-correcting function for C can correct 
m errors if for all x £ C and all y £ S n such that d(x, y) < to, we have g(y) = x. We allow 
an error-correcting function to return the value "?" so that it can describe the output of 
an algorithm that could not find an element of C close to its input. We use the verb decode 
loosely to indicate the process of correcting a constant fraction of errors. When we say a 
"decoding algorithm", we mean an algorithm that can correct some constant fraction of 
errors. From the perspective of a complexity theorist, the fraction of errors that can be 
efficiently corrected in a family of error-correcting codes is much more interesting than the 
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actual minimum distance of those codes. 

1.4.1 Linear codes 

The codes that we construct will be linear codes. A linear code is a code whose alphabet 
is a field and whose codewords form a vector space over this field. There are two natural 
ways to represent a linear code: either by listing a basis of the space and defining the code 
to be all linear combinations of those basis vectors, or by listing a basis of the dual space. 
A matrix whose rows are a basis of the dual space is called a check matrix of the code. 

In a binary code, each check bit is just a sum modulo 2 of a subset of the message bits. 
Some elementary facts that we will use about linear binary codes are: 

• The zero vector is always a codeword. 

• They are systematic. To see this, row reduce the (1 — r)n X n check matrix until it 
contains (1 — r)n columns that contain exactly one 1. These columns correspond to 
the check bits, and the remaining rn columns correspond to the message bits. Observe 
that row-reducing the check matrix does not change the code that it defines. It is now 
clear that for any setting of the message bits, there is a unique setting of the check 
bits so that the resulting vector is orthogonal 5 to every row in the row-reduced check 
matrix. 

• They can be encoded using 0(n 2 ) work: there is a rn X (1 — r)n matrix such that 
the check bits can be computed from the message bits by multiplying the vector of 
rn message bits by this matrix. (This is the matrix that appears in the columns 
corresponding to the message bits described in the previous item.) 

• The minimum distance of a linear code is equal to the minimum weight of a non-zero 
codeword (the weight of a codeword w is d(0, w); note that d(v , w) = d(0, w — v)). 



We say that two vectors are orthogonal if their inner product is zero. Over a finite field, this loses its 
geometric significance: a vector can be orthogonal to itself! 
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1.4.2 Asymptotic bounds 

Good linear codes are easy to construct. A randomly chosen parity check matrix defines a 
good code with exponentially high probability. 

Theorem 1.4.1 Let Vi, . . .,v an be vectors chosen uniformly at random from GF(2) n . Let 
C be the code consisting of the length n vectors over GF(2) that are orthogonal to all 
of Vi, . . .,v an . C has rate at least 1 — a. With high probability, C has relative minimum 
distance at least e, for e < 1/2 and a > H(e), where H(-) is the binary entropy function 

(i.e. H(x) = —x log 2 x — (1 — x) log 2 (l — x)). 

Proof: The probability that any non-zero word is orthogonal to each of Vi, . . .,v an is 
2~ an . Thus, the probability that some non-zero vector of weight at most en is orthogonal 
to each of Vi, . . ., v an is at most J2l=i ( n )2~ an . One can use Stirling's formula to show that, 
for fixed e, log 2 ( n ) = nH(e)-\- O(logra). Thus, the sum approaches zero if a > H(e). ■ 

Codes with rate r and minimum relative distance e for r > 1 — H(e) are said to meet the 
Gilbert- Varshamov bound. While these random linear codes may be encoded using quadratic 
work, we know of no efficient algorithm for decoding them. 

An easy upper bound on the performance of a code is the sphere-packing bound: 

Theorem 1.4.2 Let C n be an infinite sequence of codes with relative minimum distance at 
least S. Then 

limsup rate(C n ) < 1 - H(6/2). 

n— )-oo 

Proof: If the code has minimum distance Sn, then there are disjoint balls of radius Sn/2 
around each codeword. These balls account for at least 2™( <5 ™, 2 ) words; but, there are only 
2" words of length n. ■ 

Better upper bounds than the sphere-packing bound are known. The Elias bound, which 
held the record for a long time, has a fairly simple proof. 

Theorem 1.4.3 [Elias] Let C n be an infinite sequence of codes with relative minimum distance 
at least S. Then 

limsup rate(C n ) < 1 - H ( Vl -26) . 

n— >-oo \Z Z J 
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Even better, but much more complicated to prove, is the McEliece-Rodemich-Rumsey- Welch 
upper bound: 

Theorem 1.4.4 [McEliece-Rodemich-Rumsey-Welch] Let C n be an infinite sequence of codes 
with relative minimum distance at least 8. Then 

1 



limsup rate(C n ) < H ( \/^(l — <*>) 



Proofs of both of these can be found in [MS77]. 
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1.5 The complexity of coding 

Many of the foundations for the analysis of the complexity of algorithms were laid by Shan- 
non in his 1949 paper The synthesis of two-terminal switching circuits [Sha49]. Suggestions 
for how to analyze the complexity issues special to error-correcting codes appeared in the 
work of Savage [Sav69, Sav71] and Bassalygo, Zyablov, and Pinsker [BZP77]. For more gen- 
eral studies of the complexity of algorithms, we point the reader to [AHU74] and [CLR90]. 

From our perspective, the relevant questions are: how hard is it to encode a family of 
error-correcting codes, and how much time does it take to correct a constant fraction of 
errors? We are not as interested in the minimum distance of a code as we are in the number 
of errors that we can efficiently correct. We measure encoding and decoding efficiency by 
the time of a RAM algorithm or the size and depth of a boolean circuit that performs the 
operations. Bassalygo, Zyablov, and Pinsker point out that we should also examine the 
complexity of building the encoding and decoding programs or circuits. While we do not 
discuss this in detail, it will be clear that there are efficient polynomial-time algorithms for 
constructing our encoding and decoding programs and circuits. 

Initially, the only algorithms known for decoding error-correcting codes were exponential 
in complexity: enumerate all codewords and select one closest to the received word. For 
linear codes, one could do slightly better by computing which parity checks were violated 
and searching for the smallest pattern of errors that would violate exactly that set of parity 
checks. There were numerous improvements on these approaches. We will not attempt to 
survey the accomplishments of coding theory; we will just mention the most efficient coding 
algorithms known prior to our work: Using efficient implementations of the Finite Fourier 
Transform, Justesen [Jus76] and Sarwate [Sar77] have shown that certain Reed-Solomon 
and Goppa codes can be encoded in O(ralogra) time and decoded in time Olralog raj. 
While these codes are not necessarily asymptotically good, one can compose them with 
good codes to obtain asymptotically good codes with similar encoding and decoding times. 
Moreover, these algorithms are easily parallelized. 

Codes that have more efficient algorithms for one of these operations have suffered in 
the other. Gelfand, Dobrushin, and Pinsker [GDP73] presented randomized constructions 
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of asymptotically good codes that could be encoded in linear time. However, they did 
not suggest algorithms for decoding their codes, and we suspect that a polynomial-time 
algorithm would be difficult to find. 

Zyablov and Pinsker [ZP76] showed that it is possible to decode Gallager's randomly 
chosen low-density parity-check codes [Gal63] in logarithmic time with a linear number of 
processors. These codes are essentially the same as those we present in Section 2.3. We 
are not aware of any algorithm for encoding these codes that uses less than 0(n 2 ) work. 
Kuznetsov [Kuz73] used these codes to construct fault-tolerant memories. Pippenger has 
pointed out that Kuznetsov's proof of the correctness of these memories can serve as a 
proof of correctness of the parallel decoding algorithm that we present in Section 2.3.3. 
By analyzing these codes in terms of the expansion properties of the graphs by which 
they are defined, we are able to provide a much simpler proof of the correctness of the 
parallel decoding algorithm, prove for the first time the correctness of the natural sequential 
decoding algorithm presented in Section 2.3.1, and obtain the first explicit constructions of 
asymptotically good low-density parity-check codes. 



Chapter 2 



Expander codes 



In this chapter, we explain a way of using expander graphs to construct asymptotically 
good linear error-correcting codes. These codes can be decoded in linear sequential time or 
parallel logarithmic time with a linear number of processors. The best encoding algorithms 
that we know for these codes are the 0(n 2 ) time algorithms that can be used for all linear 
codes. These codes fall into the category of low-density parity-check codes introduced by 
Gallager [Gal63]. The construction that we present in Section 2.5 is the first known explicit 
construction of an asymptotically good family of low- density codes. 

We begin by explaining what expander graphs are and prove that good expander graphs 
exist. In Section 2.2, we define expander codes precisely and prove that they can be asymp- 
totically good. In Section 2.3, we show how error-correcting codes derived from very good 
expander graphs can be efficiently decoded. The construction that we present in this section 
is similar to Gallager's construction. In Section 2.3.1, we provide the first proof of correct- 
ness for the natural sequential algorithm for decoding these codes. In Section 2.3.2, we 
demonstrate that this algorithm only works on codes derived from expander graphs. Thus, 
Gallager's codes work precisely when the graphs from which they are derived are expanders. 
Unfortunately, we are not aware of deterministic constructions of expander graphs with the 
level of expansion needed for this first construction. 

In Section 2.4, we survey some of what is known about explicit constructions of expander 
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graphs. We use these constructions in Section 2.5 to produce explicit constructions of 
expander codes that can be decoded efficiently. 

We conclude this chapter with a discussion of how one might want to implement these 
codes and a presentation of the results of experiments which demonstrate the good perfor- 
mance of these codes. 

2.1 Introduction to expander graphs 

An expander graph is a graph in which every set of vertices has a large number of neighbors. 
It is a perhaps surprising but nonetheless well known fact that expander graphs that expand 
by a constant factor, but which have only a linear number of edges, do exist. In fact, a 
simple randomized process will produce such a graph. 

Let G = (V, E) be a graph on n vertices. To describe the expansion properties of G, we 
say every set of size at most m expands by a factor of c if, for all sets S C V, 



\S\ < m 



{y : 3x £ S such that (x, y) £ E} > c \S\ . 



One can show that for all e > there exists a S > such that, for sufficiently large ra, a 
random rf-regular graph will probably expand by a factor of d — 1 — e on sets of size 8n. We 
cannot hope to find graphs that expand by a factor greater than d — 1 because it is easy 
to find sets that have this level of expansion: the vertices of a cycle in a graph does the 
trick (a graph of degree greater than two has cycles of logarithmic size). Ideally, we should 
describe the expansion of a graph by presenting a function that gives the expansion factor 
for each size of set. 

In our constructions, we will make use of unbalanced bipartite expander graphs. That is, 
the vertices of the graph will be divided into two sets such that there are no edges between 
vertices in the same set. We will call such a graph (d,c) -regular if all the nodes in one set 
have degree d and all the nodes in the other have degree c. By counting edges, we find 
that the number of rf-regular vertices must differ from the number of c-regular vertices by 
a factor of c/d. We will only consider the expansion of sets of vertices contained within one 
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side of the graph. In Section 2.1.1, we will show that if c > d and one chooses a (d, c)-regular 
graph at random, then it will have expansion approaching d — 1 from the large side to the 
small side and expansion approaching c — 1 from the small side to the large side. 

We wish to point out that Alon, Brack, Naor, Naor, and Roth [ABN + 92] used expander 
graphs in a different way to construct asymptotically good families of error-correcting codes 
that lie above the Zyablov bound [MS77]. Also, Alon and Roichman [AR94] use error- 
correcting codes to construct expander graphs. 

2.1.1 The expansion of random graphs 

In this section, we will prove upper and lower bounds on the expansion factors achieved by 
random graphs that become tight as the degrees of the graphs become large. 

We first prove a simple upper bound on the expansion any graph can achieve. 

Theorem 2.1.1 Let B be a bipartite graph between n rf-regular vertices and -n c-regular 
vertices. For all < a < 1, there exists a set of an rf-regular vertices with at most 

n- (1 - (1 - a) c ) + 0(1) neighbors. 
c 

Proof: Choose a set X of an rf-regular vertices uniformly at random. Now, consider 
the probability that a given c-regular vertex is not a neighbor of the set of rf-regular ver- 
tices. Each neighbor of the c-regular vertex is in the set X with probability a. Thus, the 
probability that the c-regular vertex is not a neighbor of X is 

c-l 

ttH- an — i 



■ n n - I 

2 = 



which tends to (1 — a) c as n grows large. This implies that the expected number of non- 
neighbors tends to ra-(l — a) c . ■ 

This simple upper bound becomes tight as d grows large. 
How to choose a random (d, c)-regular graph: To choose a random (d, c)-regular 
bipartite graph, we first choose a random matching between dn "left" nodes and dn "right" 
nodes. We collapse consecutive sets of d left nodes to form the n rf-regular vertices, and we 
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collapse consecutive sets of c right nodes to form the -n c-regular vertices. It is possible 
that this graph will have multiedges that should be thrown away, but this does not hurt 
the lower bound on the expansion of this graph that we will prove. 

To make our language consistent with the rest of this chapter, we will call the rf-regular 
vertices "variables" and the c-regular vertices "constraints". 

Theorem 2.1.2 Let B be a randomly chosen (d, c)-regular bipartite graph between n variables 
and -n constraints. Then, for all < a < 1, with exponentially high probability all sets of an 
variables in B have at least 

n (-(I - (1 - af) - ^2daH(a)/log 2 e) 

neighbors, where H(-) is the binary entropy function. 

Proof: First, we fix a set of an variables, V, and estimate the probability that V 7 s set 
of neighbors is small. The probability that a given constraint is a neighbor of V is at least 
1 — (1 — a) c . Thus, the expected number of neighbors of V is at least n- (1 — (1 — a) c ). 
Noga Alon suggested that we form a martingale (See [AS92a]) to bound the probability 
that the size of the set of neighbors deviates from this expectation. 

Each node in V will have d outgoing edges. We will consider the process in which the 
destinations of these edges are revealed one at a time. We will let X, be the random variable 
equal to the expected size of the set of neighbors of V given that the first i edges leaving V 
have been revealed. X l7 . . . , X dan form a martingale such that 

\X{ + i — X { \ < 1, 

for all < i < dan. Thus, by Azuma's Inequality (See [AS92a]), 

Prob[E[X dan ] - X dan > \Vda~n\ < e'^ 1 ' 1 . 

But, -E[X dcm ] is just the expected number of neighbors of V. Moreover, X dan is the expected 
size of the set of neighbors of V given that all edges leaving V have been revealed, which is 
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exactly the size of the set of neighbors of V. 

Since there are only ( n ) choices for the set V, it suffices to choose A so that 



" e-* a /'«l. 

, an I 



By Stirling's formula, this holds for large n if A satisfies 



nH (a) /log 2 e < Y/2 => ^2nH(a)/log 2 e < A. 

In general, if a graph has good expansion on a certain size set, then it will have similar 
expansion on smaller sets. However, this is not always true. What we can say is that 
the probability that sets of a certain size have a given expansion factor is a unimodal 
function. Theorem 2.1.2 shows that the probability of failure is exponentially small for large 
sets. However, for sets of constant size the probability of failure will be only polynomially 
small. One can probably show that whenever the probability that large sets have a certain 
expansion factor is exponentially small, all smaller sets will have the same expansion factor 
with high probability. 

2.2 Expander codes 

To build an expander code, we begin with an unbalanced bipartite expander graph. Say 
that the graph is (d, c)-regular between sets of vertices of size n and -n, and that c > d. We 
will identify each of the n nodes on the large side of the graph with one of the bits in a code 
of length n. We will usually refer to these n bits as variables. Each of the -n vertices on the 
small side of the graph will be associated with a constraint. Each constraint will restrict 
only those variables that are neighbors of the vertex identified with the constraint (See 
Figure 2-1). These will be called the "variables in the constraint". A constraint will require 
that the variables it restricts form a codeword in some linear code of length c. Because each 
constraint we impose upon the variables is linear, the expander codes we construct will be 
linear as well. It is convenient to let all the constraints be the same. 
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Figure 2-1: A constraint restricts the variables that are its neighbors. 

Definition 2.2.1 Let B be a bipartite graph between n variables and -n constraints that is 
rf-regular on the variables and c-regular on the constraints. Let S be a code of block-length c. 
A constraint is satisfied by a setting of the variables if the variables in that constraint form a 
codeword of S. The expander code C(B,S) consists of the settings of the variables that satisfy 
every constraint. 

If the expander graph is a sufficiently good expander and if the constraints are identified 
with sufficiently good codes, then the resulting expander code will be a good code. 

Theorem 2.2.2 Let B be a bipartite graph between n variables and -n constraints that is 
rf-regular on the variables and c-regular on the constraints. Let S be a code of block-length c, 
rate r, and relative minimum distance e. If B expands by a factor of more than — on all sets 
of size at most an, then C(B,S) has rate at least dr — (d — 1) and relative minimum distance 
at least a. 

Proof: To obtain the bound on the rate of the code, we will count the number of linear 

restrictions imposed by the constraints. Each constraint induces (1 — r)c linear restrictions. 

Thus, there are a total of 

n— (1 — r)c = dn(l — r) 
c 
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linear restrictions, which implies that there are at least n(dr — (d — I)) degrees of freedom. 
To prove the bound on the minimum distance, we will show that there can be no non- 
zero codeword of weight less than an. Let w be a non-zero word of weight at most an 
and let V be the set of variables that are 1 in this word. There are d\V\ edges leaving the 
variables in V. The expansion property of the graph implies that these edges will enter 
more than —\V\ constraints. Thus, the average number of edges per constraint will be less 
than ce, so there must be some constraint that is a neighbor of V, but which has a number 
of neighbors in V that is less than the minimum distance of S. This implies that w cannot 
induce a codeword of S in that constraint; so, w cannot be a codeword in C(B, S). ■ 

Remark 2.2.3 A construction of codes defined by identifying the nodes on one side of a 
bipartite graph with the bits of the code and identifying the nodes on the other side with subcodes 
first appeared in the work of Tanner [Tan81]. Following Gallager's lead, Tanner analyzed the 
performance of his codes by examining the girth of the bipartite graph. Margulis [Mar73] also 
used high-girth graphs to construct error-correcting codes. Unfortunately, it seems that analysis 
resting on high-girth is insufficient to demonstrate that families of codes are asymptotically 
good. 

2.3 A simple example 

A simple example of expander codes is obtained by letting B be a graph with expansion 
greater than | on sets of size at most an, and letting S be the code consisting of words of 
even weight. The parity-check matrix of the resulting code, C(B,S), is just the adjacency 
matrix of B. The code S has rate — - and minimum relative distance -, so C(B,S) has 
rate I — - and minimum distance at least an. 

c 

To obtain a code that we can decode efficiently, we will need even greater expansion. 
With greater expansion, small sets of corrupt variables will induce non-codewords in many 
constraints. By examining these "unsatisfied" constraints, we will be able to determine 
which variables are corrupted. In Sections 2.3.1 and 2.3.3, we will explain how to decode 
these simple expander codes. 
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Unfortunately, we do not know of explicit constructions of expander graphs with ex- 
pansion greater than |. Thus, in order to construct these simple codes, we must use the 
randomized construction of expanders explained in Section 2.1. 

2.3.1 Sequential decoding 

There is a natural algorithm for decoding these simple expander codes. We say that a 
constraint is "satisfied" by a word w if the sum of the values that w assigns to the variables 
in the constraint is even; otherwise, we call the constraint "unsatisfied". Consider what 
happens when we flip 1 a variable that is in more unsatisfied than satisfied constraints. The 
unsatisfied constraints containing the variable become satisfied, and vice versa. Thus, we 
have decreased the total number of unsatisfied constraints. The idea behind the sequential 
decoding algorithm is to keep doing this until no unsatisfied constraints remain, in which 
case we have a codeword. Theorem 2.3.1 says that if the graph used to define the code 
is a good expander and if not too many variables of a codeword are corrupted, then this 
algorithm will succeed. 
Sequential expander code decoding algorithm: 

• If there is a variable that is in more unsatisfied than satisfied constraints, then flip 
the value of that variable. 

• Repeat until no such variables remain. 

It is easy to implement this algorithm so that it runs in linear time (assuming that 
pointer references have unit cost). In Figure 2-2, we present one such way of implementing 
this algorithm. We assume that the graph has been provided to the algorithm as a graph 
of pointers in which each constraint points to the variables it contains, and each variable 
points to the constraints in which it appears. The implementation runs in two phases: 
a set-up phase that requires linear time, and then a loop that takes constant time per 
iteration. During the set-up phase, the variables are partitioned into lists by the number of 
unsatisfied constraints in which they appear. During normal iteration of the loop, a variable 



If the variable was 0, make it 1. If it was 1, make it 0. 
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Set-up phase 

For each constraint, compute the parity of the sum of the variables it contains. (The 
algorithm should have a list of the constraints.) 

Initialize lists L , • • • , L d . 

For each variable, count the number of unsatisfied constraints in which it appears. 
If this number is i, then put the variable in list £,. 

Loop 

Until lists L^d/2] ? • • • ? L d are empty do: 
Find the greatest i such that Li is not empty 
Choose a variable v from list Li 
Flip the value of variable v 
For each constraint c that contains variable v 
Update the status of constraint c 
For each variable w in constraint c 

Recompute the number of unsatisfied constraints in which w appears. Move it 
to the appropriate list. 

If all variables are in list L , the output the values of the variables. Otherwise, 
report "failed to decode". 

Figure 2-2: An implementation of sequential expander code decoding algorithm. 

that appears in the greatest number of unsatisfied constraints is flipped; the status of each 
constraint that contains that variable is updated; and each variable that appears in each of 
those constraints is moved to the list that reflects its new number of unsatisfied constraints. 
If, at some point, there is no variable in more unsatisfied than satisfied constraints, the 
implementation leaves the loop and checks whether it has successfully decoded its input. 
If all the variables are in the list L , then there are no unsatisfied constraints and the 
implementation will output a codeword. We will show that the loop is executed at most a 
linear number of times. 

Theorem 2.3.1 Let B be a bipartite graph between n variables of degree d and -n constraints 
of degree c such that all sets X of at most an variables have at least (| + e)d|X| neighbors, for 
some e > 0. Let C(B) be the code consisting of those settings of the variables that cause every 
constraint to have parity zero. Then the sequential decoding algorithm will correct up to an 
a/2 fraction of errors while executing the decoding loop at most dan/2 times. Moreover, the 
algorithm runs in linear time on all inputs, regardless of whether or not B is a good expander. 
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Proof: We will say that the decoding algorithm is in state (v,u) if v variables are 

corrupted and u constraints are unsatisfied. We view u as a potential associated with v. 

Our goal is to demonstrate that the potential will eventually reach zero. To do this, we 

will show that if the decoding algorithm begins with a word of weight at most an/2, then, 

at every step, there will be some variable with more unsatisfied neighbors than satisfied 

neighbors. 

First, we consider what happens when the algorithm is in a state (v,u) with v < an. 

Let s be the number of satisfied neighbors of the corrupted variables. By the expansion of 

the graph, we know that 

u + s > — he dv. 
~ V4 J 

Because each satisfied neighbor of the corrupted variables must share at least two edges with 
the corrupted variables, and each unsatisfied neighbor must have at least one, we know that 

dv > u + 2s. 

By combining these two inequalities, we obtain 

s<(--e)dv and u > ( - + 2e j dv. (2.1) 

Since each unsatisfied constraint must share at least one edge with a corrupted variable, and 
since there are only dv edges leaving the corrupted variables, we see that at least a (| + 2e) 
fraction of the edges leaving the corrupted variables must enter unsatisfied constraints. 
This implies that there must be some corrupted variable such that a (| + 2e) fraction of its 
neighbors are unsatisfied. Of course, this does not mean that the decoding algorithm will 
decide to flip a corrupted variable. 

However, it does mean that the only way that the algorithm could fail to decode is if 
it flips so many uncorrupt variables that v becomes greater than an. Assume by way of 
contradiction that this happens. Then there must be some time at which v equals an. At 
this time, equation (2.1) tells us that u > ^an. This leads to a contradiction because u is 
initially at most |ara and can only decrease during the execution of the algorithm. 



2.3 A simple example 37 

This would imply that the algorithm was in a state (an,u), where u < |cra, because u 
was initially at most |cra. But, this would contradict the analysis above. 

To see that the implementation of the sequential decoding algorithm runs in linear time, 
first observe that the degree of every variable and constraint is constant; so, the set-up phase 
requires linear time. Moreover, every time a variable is flipped by the algorithm, the number 
of unsatisfied constraints decreases. Thus, the loop cannot be executed a number of times 
greater than the number of constraints. Because the degree of each variable and constraint 
is constant, each iteration requires only constant time. ■ 

We note that it is possible to improve the constants in this analysis by taking into 
account the fact that after each decoding step, the number of corrupted variables actually 
decreases by at least 2- — d. 

2.3.2 Necessity of Expansion 

We will now show that the sequential decoding algorithm works only if the graph B is an 
expander graph. 

Theorem 2.3.2 Let B be a bipartite graph between n variables of degree d and -n constraints 
of degree c such that the sequential expander code decoding algorithm successfully decodes all 
sets of at most an errors in the code C{B). Then, all sets of an variables must have at least 



an 1 + 



Q 6J-1 

Z 2c 



neighbors in B. 

Proof: We will first deal with the case in which d is even. In this case, every time a 
variable is flipped, the number of unsatisfied constraints decreases by at least 2. Consider the 
performance of the decoding algorithm on a word of weight an. Because the algorithm stops 
when the number of unsatisfied constraints reaches zero, the algorithm must decrease the 
number of unsatisfied constraints by at least 2an as it corrects the an corrupted variables. 
Thus, every word of weight an must cause at least 2an constraints to be unsatisfied, so 
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every set of an variables must have at least 2cra neighbors. Because we assume that c > d, 

2 d-i 



2> 1 



2c 



d-1 



3 ■ 2c 



and we are done with the case in which d is even. 

When d is odd, we can only guarantee that the number of unsatisfied constraints will 
decrease by 1 at each iteration. This means that every set of an variables must induce at 
least an unsatisfied constraints. Alone, this is insufficient to demonstrate expansion by a 
factor greater than f . However, let us consider what must happen for the algorithm to be 
in a state in which an variables are corrupted, but there is no variable that the decoding 
algorithm can flip that will cause the number of unsatisfied constraints to decrease by more 
than f . This means that each corrupted variable has at least ^- of its edges in satisfied 
constraints. Because each satisfied constraint can have at most c incoming edges, this 
implies that there must be at least cm^- satisfied neighbors of the an variables. Thus, the 
set of an variables must have at least cra(f + ^~) neighbors. 

On the other hand, if the algorithm decreases the number of unsatisfied constraints by 
more than f , then it must decrease the number by at least 3. For some word of weight an, 
assume that the algorithm flips fian variables before it flips a variable that decreases the 
number of unsatisfied constraints by only f. The original set of an variables must have had 
at least 

3/3cra + (f — fi)an 

neighbors. On the other hand, once the algorithm flips a variable that causes the number of 
unsatisfied constraints to decrease by f, we can apply the bound of the previous paragraph 
to see that the variables must have at least 



(l-/>)an(l + ^) 



neighbors. We note that this bound is strictly decreasing in /3, while the previous bound 
is strictly increasing in /3, so the lower bound that we can obtain on the expansion occurs 
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when (3 is chosen so that 

3/3cra + (1 - fi)an = (l + ^-) (1 - fi)an => 

1 + 2/3 = (1-/3)(1 + ^) => 

/3(3 + ^) = ^ => 

d-1 



P 



3-M 



When we plug (3 back in, we find that the set of an variables must have at least 



an 1 + 



2 



d-l 
2c 



3 + ^ 



neighbors. ■ 

2.3.3 Parallel decoding 

The sequential decoding algorithm has a natural parallel analogue: in parallel, flip each 
variable that appears in more unsatisfied than satisfied constraints. We will see that this 
algorithm can also correct a constant fraction of errors if the code is derived from a suffi- 
ciently good expander graph. 
Parallel expander code decoding algorithm: 

• In parallel, flip each variable that is in more unsatisfied than satisfied constraints. 

• Repeat until no such variables remain. 

Theorem 2.3.3 Let B be a bipartite graph between n variables of degree d and -n constraints 
of degree c such that all sets X of at most a n variables have more than (| + e)<i|X| neighbors, for 
some e > 0. Let C{B) be the code consisting of those settings of the variables that cause every 
constraint to have parity zero. Then, C(B) has rate at least (1 — -) and the parallel expander 
code decoding algorithm will correct any a < " ol ~ 2 + e ' fraction of errors after log 1 ,, 1 _ 2e J an) 
decoding rounds, where each round requires constant time. 
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Proof: Assume that the algorithm is presented with a word of weight at most an, where 
a < " ol ~ 2 + . We will refer to the variables that are 1 as the corrupted variables, and we 
will let S denote this set of variables. We will show that after one decoding round, the 
algorithm will produce a word that has at most (1 — 2e)cra corrupted variables. 

To this end, we will examine the sizes of F, the set of corrupted variables that fail to flip 
in one decoding round, and C, the set of variables that were originally uncorrupt, but which 
become corrupt after one decoding round. After one decoding round, the set of corrupted 
variables will be C U F. Define v = \S\, and set (f>, 7, and 8 so that \F\ = (f>v, \C\ = jv, and 
|iV(5')| = Sdv. By expansion, 8 > | + e. To prove the theorem, we will show that 

1 
^ + 7 <T ^<l-2e. 

We will first show that 

<f>< 4 - 48. 

We can bound the number of neighbors of S by observing that each variable in F must 
share at least half of its neighbors with other corrupted variables. Thus, each variable in 
F can account for at most |d neighbors, and, of course, each variable in S \ F can account 
for most d neighbors, which implies 

3 

Sdv < —d(f>v + d(l — (f>)v =>■ 

<f> < 4 -48. 



We now show that 



1 < TT" 



4 ' 
Assume by way of contradiction that this is false. Let C be a subset of C of size — Y* e v . 
Each variable in C" must have at least | edges that land in constraints that are neighbors 
of S . Thus, the total number of neighbors of C" U S is at most 

-\C'\ + 8dv. 

2 1 ' 
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But, because the set C" U S has size at most 



4 
1 



4+6 ; v 2 

l + 4e N 



a n 



< (tt^I ( — 2 — Ja n = a n, 
it must have expansion greater than d(| + e), which implies that 

2 1 ' 2 ^ | + e y 

After simplifying this inequality, we find that it is a contradiction. Thus, we find 

<^> + 7 < 4-4S + ^~/4+ e ) 

4+ e 



1 - (| + e) + 4e - 4eS 



l- 6 + 4e(l-^) 



* + < 



* + <' 



We note that this algorithm can be implemented by a circuit of size O(ralogra) and 
depth O(logra). 

2.4 Explicit constructions of expander graphs 

In order to create explicit constructions of expander codes, we will need to make use of 
explicit constructions of expander graphs. In this section, we will survey some of what 
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is known about explicit constructions of expander graphs. The only facts in this section 
that are necessary for the results of this Chapter are Lemma 2.4.6, Lemma 2.4.14, and 
Theorem 2.4.7. In Chapter 3, we will also make use of Proposition 2.4.19. 

The expansion properties of a graph are strongly related to its eigenvalues. We recall 
their definition: 

Let G be a graph on n vertices. The adjacency matrix of G is the ra-by-ra matrix, A, 
with entries (a 8 j) such that 

{1, if (i,j) is an edge of G, and 
0, otherwise. 

When we say "the eigenvalues of G" , we mean the eigenvalues of this matrix. 

Remark 2.4.1 Some researchers normalize the entries in the adjacency matrix so that its 
eigenvalues have absolute value at most 1. It is also common to study the Laplacian of a 
graph — the matrix that has the degree of vertex i as the (i,i)-th entry, —1 as the (i,j)-th 
entry if i and j are adjacent, and otherwise. This matrix has the advantage of being positive 
semi-definite. 

We will now restrict our discussion to graphs that are regular of some degree d. Note 
that d will be an eigenvalue of these graphs, corresponding to the eigenvector that is 1 in 
each entry. It is fairly easy to show that the multiplicity of the eigenvalue d will be equal 
to the number of connected components of G. Henceforth, we will only consider connected 
graphs G. It is again fairly easy to show that —d will be an eigenvalue if and only if the 
graph is bipartite. All other eigenvalues must lie between —d and d. 

A graph will be a good expander if all eigenvalues other than d have small absolute 
value. 2 For example, a large separation of eigenvalues implies that the number of edges 
between two sets of vertices is roughly the number expected if the sets were chosen at 
random: 

Theorem 2.4.2 [Beigel-Margulis-Spielman] Let G = (V,E) be a rf-regular connected graph 



The analogous statement holds for bipartite graphs if all eigenvalues other than d and — d are small, but 
we will not discuss that situation here. 
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on n vertices such that every eigenvalue other than d has absolute value at most A. Let X and 
Y be subsets of V of sizes an and fin respectively. Then 



|{0, y) e X X Y : 0, y) G E}\ - dafin < n\y/(a - a 2 )(j3 - f3 2 ). 



Proof: Let A be the adjacency matrix of the graph G, and let x and y be the charac- 
teristic vectors of the sets X and Y respectively (i.e. the vector that is f for each vertex in 
the set, and otherwise). 

We will compute (Ax, y) in two ways, where (•, •) denotes the standard inner product of 
vectors. We first observe that this term counts the number of edges from vertices in X to 
vertices in Y . (If X and Y intersect, then each edge in their intersection is counted twice 
as it can be viewed as going from X to Y in two ways.) So, 

(Ax,y) = \{(x,y) e X XY : (x,y) e E}\ . 

Let v = x — al and let w = y — (31. A simple calculation reveals that v and w are 
perpendicular to 1. Because A is a symmetric matrix, we also know that Av is perpendicular 
to 1. 

We compute 

(Ax,y) = (A(v + a?),(w + pi)} 

= (Av, w) + (Av, fit) + (aAl, w) + (aAl, fit) 

= (Av,w) + /Aal,f3l) 

= (Av, w) + dafin 

because Av is perpendicular to 1, and w is perpendicular to Al. Recall that for two vectors 



a and b, (a, b) < \/(a, a) (b, b). We combine this with the observations that 

(v, v) = a(l — a)n, 
(w,w) = fi(l — fi)n, and 
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v is perpendicular to the eigenvector corresponding to d to obtain 



\(Av,w)\ < \ny/(a-a 2 )(/3-P 2 ) 
\(Ax,y)-dnaP\ < \nyj(a- a 2 )(P - P 2 ). 



We will use this result to derive Tanner's theorem [Tan84], which shows that if A is 
small, then G is an expander. 

Theorem 2.4.3 [Tanner] Let G be a rf-regular graph on n vertices such that all eigenvalues 
other than d have absolute value at most A. Then, for any subset X of the vertices of G, the 
neighbors of X , N(X), must have size 

|iv ( x)|> d ™ 



A 2 + (d 2 - A 2 )^' 

Proof: Let X have size an. Let Y be the set of non-neighbors of X , and assume Y has 
size Pn. Because there are no edges between X and Y, Theorem 2.4.2 implies that 

daPn < n\y / (a - a 2 )(/3 - /3 2 ) => 

d 2 ap < A 2 (l-a)(l-/3) =*► 

P (a(d 2 - X 2 ) + X 2 ) < X 2 (l-a) => 



1-/3 > 



of 



a(d 2 -A 2 ) + A 2 - 



Remark 2.4.4 One can similarly show that a rf-regular bipartite graph will be a good expander 
if every eigenvalue other than d and —d is small. These results do not actually depend on the 
graph being rf-regular. One can prove similar statements so long as there is a separation between 
the first and second largest eigenvalues. 

Remark 2.4.5 Kahale [Kah93b] improves this theorem by showing that graphs with a similar 
eigenvalue separation have even better expansion. 
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The property of expander graphs that will be most useful to us in this dissertation is 
that small subsets of vertices in an expander have very small induced subgraphs: 

Lemma 2.4.6 [Alon-Chung [AC88]] Let G be a rf-regular graph on n vertices such that all 
eigenvalues other than d have absolute value at most A. Let X be a subset of the vertices of G 
of size jn. Then, the number of edges contained in the subgraph induced by X in G is at most 

2 d V +rf7(l-7. 

Proof: Follows from Theorem 2.4.2 by setting Y = X and observing that we count every 
edge of the induced subgraph twice. ■ 

It is natural to ask how large a separation can exist between the eigenvalue d and 
the next-largest eigenvalue. Lubotzky, Phillips and Sarnak [LPS88] and, independently, 
Margulis [Mar88] provide an explicit construction of infinite families of graphs in which 
there is a very large separation. 

Theorem 2.4.7 [Lubotzky-Phillips-Sarnak, Margulis] For every pair of primes p,q congruent 
to 1 modulo 4 such that p is a quadratic residue modulo q, there is an easily constructible 
(p + I)-regular graph with q(q 2 — l)/2 vertices such that the second-largest eigenvalue of the 
graph is at most 2^/p. 

We will hereafter refer to these graphs as LPS-M graphs. 

Remark 2.4.8 LPS-M graphs are Cayley graphs of PSL(2,Z/qZ). One can find a repre- 
sentation of these graphs so that the names of the neighbors of a vertex can be computed in 
poly-logarithmic time from the name of that vertex. 

Alon and Boppana [Ak>86] have proved that the separation of eigenvalues achieved by 
LPS-M graphs is optimal: 

Theorem 2.4.9 [Alon-Boppana] Let G n be a sequence of A;-regular graphs on n vertices and 
let A n be the second-largest eigenvalue of G n . Then 

lim sup A n > 2yk — l. 
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Alon [AI086] has proved that every expander graph must have some separation of eigen- 
values. 

Theorem 2.4.10 Let G be a rf-regular graph on n vertices such that for all sets S of size at 
most n/2, 

\N(S)\>(l + c)\S\. 

Then, all eigenvalues of G but d have absolute value at most 

c 2 



4 + c 2 



LPS-M graphs will suffice for our constructions in Section 2.5. However, a more general 
class of graphs will suffice as well. The following definition captures this class of graphs: 

Definition 2.4.11 We will say that a family of graphs Q is a family of good expander graphs 
if Q contains graphs G„ t d of n nodes and degree d so that 

• For an infinite number of values of d, there exists an infinite number of graphs G„ t d G Q , 
and 

• for each of these values d, the second-largest eigenvalues of G„ t d are bounded from above 
by constants X d such that lim^oo X d /d = 0. 

Pippenger [Pip93] points out that we can obtain a family of good expander graphs 
by exponentiating the expander graphs constructed by Gabber and Galil. Gabber and 
Galil [GG81] construct an infinite family of 5-regular expander graphs. By Theorem 2.4.10, 
all the eigenvalues of these graphs other than 5 must be bounded by some number A < 5. 
Consider the graphs obtained by exponentiating the adjacency matrices of these graphs 
k times. They will have degree 5 fe , and all eigenvalues but the largest will have absolute 
value at most X k . So, these yield a family of good expander graphs. These graphs will 
have multiple edges and self-loops, but this is irrelevant in our applications. Moreover, one 
could remove the multiple edges and self-loops without adversely affecting the quality of 
the expanders. 
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To construct unbalanced bipartite expander graphs, we will take the edge-vertex inci- 
dence graphs of ordinary expanders. From a rf-regular graph G on n vertices, we will derive 
a (2, (i)-regular graph with dn/2 vertices on one side and n vertices on the other. 

Definition 2.4.12 Let G be a graph with edge set E and vertex set V. The edge-vertex 
incidence graph of G is the bipartite graph with vertex set E U V and edge set 

{(e, v ) G E X V : v is an endpoint of e} . 

Our analyses of these graphs will follow from Lemma 2.4.6. 

For some constructions, we will want graphs of higher degree. To construct these, we 
use a more general construction due to Ajtai, Komlos and Szemeredi [AKS87]: 

Definition 2.4.13 Let G be a graph with edge set E and vertex set V. The A;-path-vertex 
incidence graph of G is a bipartite graph between the set of paths of length k in G and the 
vertices of G in which a vertex of G is connected to each path on which it lies. (A path of 
length A; is a sequence of vertices Vi, . . . , v k+ i such that (f,, v i+ i) £ E for each f < i < k.) 

We analyze the expansion properties of these graphs through the following fact proved by 
Kahale [Kah93a]. 

Lemma 2.4.14 [Kahale] Let G„ t d be a rf-regular graph on n nodes with second-largest eigen- 
value bounded by A. Let S be a subset of the vertices of G„ t d of size jn. Then, the number of 
paths of length k contained in the subgraph induced by S in G„ t d is at most 

1 nd k { 1 + \{l- 1 )) k . 

A proof of this fact can also be found in [AFWZ]. The difference of a factor of two between 
Lemma 2.4. 14 when k = 1 and Lemma 2.4.6 is due to the fact that in Lemma 2.4.14 each 
path is being counted twice: once for each endpoint. 
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2.4.1 Expander graphs of every size 

It is natural to wonder how often the conditions of Theorem 2.4.7 are met. By the law 
of quadratic reciprocity, p is a quadratic residue modulo q if and only if q is a quadratic 
residue modulo p, for p and q primes congruent to 1 modulo 4. Thus, for a given p, we 
can bound the gaps between successive g's that satisfy the conditions of Theorem 2.4.7 by 
bounding the sizes of gaps between successive primes in arithmetic progressions. One can 
do this using the following theorem of Heilbronn [Hei33]: 

Theorem 2.4.15 [Heilbronn] Let ir(x;k,l) denote the number of primes less than x and 
congruent to / modulo k. Then, there exists a constant a < 1 such that 

In x 1 

lim (ir(x + x a ; k, I) — ir(x; k, /)) 



<t>(ky 

where / is relatively prime to k and (f>(k) denotes the number of positive integers less than and 
relatively prime to k. 

Definition 2.4.16 Let Q = {G,}^ be a sequence of graphs such that G, has ra, vertices, 

and n i+ i > ra,. We say that Q is dense if ra, +1 — ra, = o(ra,). 

Theorem 2.4.15 implies that LPS-M graphs are dense. It is not difficult to see that the 
graphs obtained by exponentiating the expander graphs of Gabber and Galil are dense as 
well. 

A dense family provides expander graphs of size close to almost every number; but, we 
will need good expanders of every sufficiently large number of vertices for our constructions 
in Chapter 3. We build such a family from a dense family by removing a few nodes from 
the expanders in such a way that they remain good expanders. 

Definition 2.4.17 Let G be a graph. If S is a subset of the vertices of G such that no two 
vertices of S are neighbors or share a common neighbor, then we call S a doubly independent 
set of vertices. 

If G is a rf-regular graph with n vertices, then it is easy to see that it will have a doubly- 
independent set of at least n/(d 2 + 1) vertices. Moreover, we can show that if a doubly- 
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independent set of vertices is removed from a good expander graph, then it remains a good 
expander graph. 

Proposition 2.4.18 Let G be a rf-regular graph on n vertices such that all eigenvalues but 
the largest have absolute value at most A. Let G' be a graph obtained from G by removing a 
doubly-independent set of vertices. Then, for any subset X of the vertices of G', the neighbors 
of X , N(X), must have size 

\N(X)\ > \X\ ( m - 1 ) . 

Proof: We will show that the set of neighbors of X in G' can be smaller than its set 
of neighbors in G by at most one neighbor for each vertex in X . Let S denote the set of 
vertices that were removed from G to obtain G'. The only vertices that could be neighbors 
of X in G but not in G' are those that are in S. However, if there are two vertices in S 
that are both neighbors of one vertex in X, then S could not be a doubly independent set. 
Thus, the proposition follows from Theorem 2.4.3. ■ 

Proposition 2.4.19 Let G be a rf-regular graph on n vertices such that all eigenvalues but 
the largest have absolute value at most A. Let G' denote a graph that can be obtained from G 
by removing a doubly-independent set of vertices, S. Let X be a subset of the vertices of G' of 
size jn. Then, the number of edges contained in the subgraph induced by X in G is at most 



n 
— i 

2 



Moreover, each vertex of G' has degree either d or d — 1. 

Proof: Follows from Lemma 2.4.6 because the subgraph induced by X in G' is the same 
as the subgraph induced by X in G. ■ 

Remark 2.4.20 Not only can we find expander graphs with any number of vertices, but we 
can find expander graphs with any number of edges as well. We need merely choose a graph 
that has a few more edges than we desire, and remove a few of them. It is easy to remove edges 



50 Expander codes 



so that each vertex still has degree d or d — 1 and the graph has expansion properties similar to 
those obtained in Propositions 2.4.18 and 2.4.19. 

For more information about expander graphs and algebraic graph theory, we recommend: 

• Nabil Kahale. Exander Graphs. PhD thesis, M.I.T., September 1993. 

• Norman Biggs. Algebraic Graph Theory. Cambridge University Press, New York, NY, 
second edition, 1993. 

• Dragos M. Cvetkovic, Michael Doob, and Horst Sachs. Spectra of graphs : theory and 
application. Academic Press, New York, 1990. 

2.5 Explicit constructions of expander codes 

Let G be a rf-regular graph in which every eigenvalue but d has absolute value at most A. 
Let B be the edge- vertex incidence graph of G. We will construct codes of the form C(B, S), 
where S is itself a fairly good code of constant block length (recall Definition 2.2.1). The 
reason that we will be able to decode these codes is that when a constraint is unsatisfied, we 
know much more than just this bit of information. Usually, there is a codeword of S that is 
closest to the word described by the variables in the constraint. If this word is sufficiently 
close to the codeword, then the algorithm will flip those variables that must be changed in 
order to obtain that codeword. 
Assume that S has minimum relative distance e. 

Parallel explicit expander code decoding round 

• In parallel, for each constraint, if the setting of the variables in that constraint is 
within e/4 of a codeword, then send a "flip" message to every variable that needs to 
be flipped to obtain that codeword. 

• In parallel, every variable that receives the message "flip", flips its value. 

Remark 2.5.1 One parallel explicit expander code decoding round can be performed by 0(n) 
processors in constant time. Similarly, one could implement this as a linear-size circuit of 
constant depth. 
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Lemma 2.5.2 Let S be a linear code with rate r, minimum relative distance e and block-length 
d. Let G be a rf-regular graph such that all eigenvalues but d have absolute value at most A. 
Let B be the edge-vertex incidence graph of G. Then C(B,S) has rate 2r — 1 and minimum 
relative distance at least 

6 = 7 2 + (7 — 7 2 )-r, where 

jd+ (1 - 7)A < ed. 

Moreover, if 

e 2 e A 

768 > 16 " d' 

then the iteration of O(logra) parallel explicit expander code decoding rounds will correct a |^ 
fraction of errors. This algorithm can be simulated on a sequential machine in linear time. 

Proof: Lemma 2.4.6 implies that B expands by a factor of at least 

7« 



(7 2 + ^(7-7 2 )) 



on sets of variables of size 

nd ( , A . 

T (7 2 + ^(7-r 

Using this bound, the bounds on the rate and minimum distance of C(B nd , S) follow im- 
mediately from Theorem 2.2.2. 

Let X be a set of at most a^ variables. We will show that if a decoding round is given 
a word that is 1 for all v G X , and elsewhere, then it will output a word whose weight is 
less by a constant factor, provided that a is not too big. 

We will say that a constraint is confused if it sends a "flip" message to a variable that 

is not in X. In order for this to happen, the constraint must have at least |ed variables of 

X as neighbors. Each variable of X can be a neighbor of two constraints, so there can be 

at most 

a^ ■ 2 _ 4cra 
\ed ~ ~3T 
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confused constraints. Each of these can send at most |<i "flip" signals, so at most 

4an e nd 2a 

~3T' 4 ~ ~2 3~ 

variables not in X will receive "flip" signals. 

We will call a constraint unhelpful if it has more than | neighbors in X. A variable in 
X will flip unless both of its neighbors are in unhelpful constraints. There are at most 

afra-2 4cra 
\ed e 

unhelpful constraints, which by Lemma 2.4.6 can have at most 

nd ( [4a\ 2 f 4a\ \\ 

t((t) + (t)j] 

edges among them. So, the weight of the output codeword must decrease by at least 

nd J 2a ( 4a\ 4a A 

— a 

2 \ 3 

The worst case is when a is maximized. If we set a = §7, then we obtain 

nd ( e 2 e A 

T V768 ~ 16 "d 

Thus, the weight of the output codeword must decrease by a constant factor. 

To simulate this algorithm in linear time, one should maintain a list of the unsatisfied 
constraints. When simulating any round after the first, the algorithm should only consider 
the variables that appear in those constraints. We have proved that the sizes of these sets 
of variables has a bound that decreases by a constant factor with each iteration, so the total 
time required to simulate the O(logra) rounds will be linear. ■ 

To obtain an infinite family of good codes, we will use a family of good expander graphs 
and good codes known to exist by Theorem 1.4.1. 

Theorem 2.5.3 For all e such that 1 — 2H(e) > 0, where H(-) is the binary entropy function, 
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there exists an easily constructible family of linear codes with rate 1 — 211(e) and minimum 
relative distance arbitrarily close to e 2 such that the parallel decoding algorithm will decode up 
to a j^ fraction of errors using O(logra) parallel explicit expander code decoding rounds. This 
decoding algorithm can be simulated in linear time on a sequential machine. 

Proof: Any family of good expander graphs will suffice. For example, we could use those 
known to exist by Theorem 2.4.7. Let G„ t d denote a graph of degree d on n vertices from 
this family, if such a graph exists. Let X d be an upper bound on the eigenvalues other than 
d in the graphs G n ^. Let B„ id denote the edge- vertex incidence graph of G n ^. 

As we let d grow large in Theorem 2.5.2, the ^f terms tend to zero. Moreover, Theo- 
rem 1.4.1 tells us that, for sufficiently large block-length d, there are linear codes of rate r 
and minimum relative distance e if r < 1 — H(e). We use such a code as the subcode in the 
construction of Theorem 2.5.2. ■ 

2.5.1 A generalization 

Noga Alon has pointed out that the "edge to vertex" construction that we use to con- 
struct expander codes is a special case of a construction due to Ajtai, Komlos and Sze- 
meredi [AKS87]. They construct unbalanced expander graphs from regular expander graphs 
by identifying the large side of their graph with all paths of length k in the original graph 
and the small side of their graph with the vertices of the original graph. A node identified 
with a path is connected to the nodes identified with the vertices along that path. The 
construction used in Theorem 2.5.2 is the special case in which k = 1. 

Alon suggested that the codes produced by applying the technique of Theorem 2.5.3 to 
this more general class of graphs can be analyzed by applying Lemma 2.4.14. 

Theorem 2.5.4 For all integers k > 2 and all e such that 1 — kH(e) > 0, there exists an easily 
constructible family of linear codes with rate l — kH(e) and minimum relative distance arbitrarily 
close to e 1+1 /( fe_1 ) such that a parallel decoding algorithm will decode some 0(e 1+1 ^ k ~ 1 " 1 ) 
fraction of errors in O(logra) parallel decoding rounds, each of which takes constant time. 
Moreover, this algorithm can be implemented to run in linear time on a sequential machine. 
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Proof: [Sketch] As in Theorem 2.5.2, we will use the graphs known to exist by Theo- 
rem 2.4.7. We will form a code by using the £;-path-vertex incidence graph of G„ tP+ i and 
by using a Gilbert- Varshamov good code as the subcode. Theorem 1.4.1 implies that for 
sufficiently large block-length p+1, there exist linear codes of rate r and minimum relative 
distance e provided that r < 1 — H(e). Moreover, as p + 1 grows large, the terms involving 
A in Lemma 2.4.14 goes to zero. If this term were zero, then we would know that every set 
containing an e - ^ fraction of the variables has at least an e~ fraction of the constraints 
as neighbors. Because there are nd k variables of degree k and n constraints of degree kd k , 
Theorem 2.2.2 would imply that no word of weight up to e - ^ can be a codeword. However, 
because A never actually reaches zero, we can only come arbitrarily close to this bound. 

To decode these codes, we modify the parallel explicit expander code decoding algorithm 
so that each constraint sends a "flip" message to its variables only if the setting of its 
variables is within e/h of a codeword, for some constant h depending on k. An analysis 
similar to that in the proof of Theorem 2.5.2 shows that if an a fraction of the variables 
were corrupted at the start of a round, then at most an 



a(k + 1) t ah (ah X d f ah 



h — 1 e V £ d 

fraction of the variables will be corrupt after the decoding round. We can choose a to be 
some fixed fraction of e 1+1 / fe and a value for h so that this term is less than a. 

The idea behind the sequential simulation of this algorithm is the same as appeared in 
the proof of Theorem 2.5.2. ■ 

2.6 Notes on implementation and experimental results 

We imagine using expander codes in coding situations where long block length is required. 
For small block lengths, special codes are known that will provide better performance. 
Expander codes should be especially useful for coding on write-once media, such as Compact 
Discs, where fast decoding is essential, the time required to encode is not critical, and codes 
of block length roughly 10,000 are already being used [Ima90]. 
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If one intends to implement expander codes, we suggest using the randomized construc- 
tion presented in Sections 2.1.1 and 2.3. We obtained the best performance from graphs 
that had degree 5 at the variables. It might be possible to get good performance with 
randomly chosen graphs and slightly more complex constraints, but we have not observed 
better performance from these. 

One drawback of using a randomly chosen graph to generate an expander code is that, 
while the graph will be a good expander with high probability, we know of no polynomial 
time algorithm that will certify that a graph has the level of expansion that we need for 
this construction. 3 On the other hand, it is very easy to perform experiments to test the 
performance of an expander code and thereby weed out those that do not work well on 
average. 

We now mention a few ideas that we hope will be helpful to those interested in imple- 
menting these codes. 

• When one chooses a random graph as outlined in Section 2.1.1, there is a good chance 
that the graph produced will have a "double edge". That is, two edges between the 
same two vertices. We suggest using a simple heuristic to remove one of these edges, 
such as swapping its endpoint with that of a randomly chosen edge. If one is choosing 
a relatively small graph, say of 2,000 nodes, then there is a fair chance that there will 
be two variables that share two neighbors. Again, we suggest discarding such graphs. 
In general, if one is choosing a relatively small graph, then there is a reasonable chance 
that it will have some very small set of vertices with low expansion. We were always 
able to screen these out by experiment. 

• The sequential decoding algorithm presented in Section 2.3.1 can be improved by the 
same means as many "slope-descent" algorithms. In experiments, we found that a 
good way to escape local minima was to induce some random errors. The sequential 
decoding algorithm also benefits from a little randomness in the choice of which vari- 
able it flips next. We also found that we could decode more errors if we allow the 



3 Computation of the eigenvalues of the graph does not work because Kahale [Kah93a] has proved that 
the eigenvalues cannot certify expansion greater than d/2. 
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algorithm to make a limited amount of negative progress. This finding is evidenced 
in figure 2-4. 

• The parallel decoding algorithm presented in Section 2.3.3 seems better suited for 
implementation in hardware than the sequential algorithm. The performance of this 
parallel algorithm can be improved by changing the threshold at which it flips vari- 
ables. An easy improvement is to start the threshold high and decrease it only when 
necessary. The algorithm performs even better if one only flips the variables that have 
the maximum number of unsatisfied neighbors. Of course, many hardware implemen- 
tations will not allow this flexibility. We suggest that the implementer experiment to 
discover the arrangement of thresholds that performs best in their application. 

These codes really are very easy to implement. We implemented these codes in C after 
a few hours work and set about testing their performance. In each test, we chose a random 
bipartite graph of the correct size and tested the performance of various decoding algorithms 
against random errors. For our tests, we never performed encoding — it suffices to examine 
the performance of the decoding algorithms around the word. We present some results of 
our experiments so that the reader will know what to expect from these codes. However, 
we suggest that researchers implement and try them out on the error-patterns that they 
expect to encounter. 

2.6.1 Some experiments 

In our experiments, we found that expander codes of the type discussed in Section 2.3 
performed best when derived from a randomly chosen graph with degree 5 at the variables. 
We varied the rates of our codes by changing the degrees of the graphs at the constraints. 
In Figure 2-3, we present the results of experiments performed on some expander codes 
of length 40,000. We began by choosing an appropriate graph at random as described in 
Section 2.1.1. We then implemented a variation of the sequential decoding algorithm from 
Section 2.3.1 in which we allowed the algorithm to flip a limited number of variables even if 
they appeared in only two unsatisfied constraints (we call these "negative progress flips"). 
We then tested each code on many error patterns of various sizes. For each size, we choose 
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50,000 error patterns of this size uniformly at random. Points in the graph indicate the 
number of errors that a code corrected in all 50,000 tests. One can see that the expander 
codes corrected an amazingly large number of errors. 

Some expander codes of length 40,000 




Figure 2-3: Number of errors expander codes could almost always correct. For example, 
the point in the upper left hand corner of the figure indicates that the code of rate 1/2 
corrected all of the 50, 000 patterns of 1, 720 errors on which it was tested. 



In Figure 2-4, we compare the performance of a version of the sequential decoding algo- 
rithm in which we allow negative progress flips with a version in which we do not. We chose 
a rate 1/2 expander code of length 40, 000. For each number of errors, we performed 2, 000 
tests of each algorithm and counted the number of times that each successfully corrected 
the errors. While allowing negative progress flips did not seem to have much impact on the 
number of errors that the algorithms could "almost always" correct, it did greatly increase 
the chance that the algorithm could correct a given number of errors. 
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Figure 2-4: A rate 1/2 expander code of length 40,000. Comparison of the probability 
that the sequential decoding algorithm corrects a given number of randomly chosen errors 
when we do and do not allow negative progress flips (a negative progress flip occurs when 
a variable in more satisfied than unsatisfied constraints is flipped). 



Chapter 3 



Linear-time encodable and 
decodable error-correcting codes 



In this chapter, we build on the techniques developed in Chapter 2 to construct asymp- 
totically good families of error-correcting codes that have both linear-time encoding and 
decoding algorithms. We call these codes super-concentrator codes because their encoding 
circuits resemble Pippenger's construction of superconcentrators [Pip77]. In Section 3.1, we 
explain why this resemblance is necessary. 

To aid in our construction of superconcentrator codes, we introduce the notion of an 
error-reducing code. An error-reducing code has the property that if a decoder receives a 
partially corrupted codeword, then it can correctly compute a large fraction of its message 
bits. The fraction of the message bits that the decoder cannot compute should be smaller 
than the fraction of the bits of the codeword that were corrupted in transmission. In 
Section 3.2, we construct error-reducing codes that have very fast linear-time encoding and 
error-reducing algorithms. One could imagine using such a code if one is transmitting data 
that is already encoded by an error-correcting code. In such a situation, it is not necessary 
to remove ah the errors created in transmission, but it might be advantageous to quickly 
correct some of them. 

In Section 3.3, we demonstrate how to recursively combine error-reduction codes to build 
our error-correcting superconcentrator codes. The constructions in Sections 3.2 and 3.3 are 
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analogous to those in Section 2.3. The only way that we know of obtaining expander graphs 
of the quality needed for this construction is to chose the graphs at random. 

To build explicit constructions of superconcentrator codes in Section 3.4, we use a con- 
struction of error-reduction codes analogous to the construction of expander codes in Sec- 
tion 2.5. The constructions and proofs in Section 3.4 are analogous to those in Section 3.3. 

3.1 Motivating the construction 

It is not an accident that our linear-size encoding circuits look like superconcentrators. They 
have to. In this section, we will explain why. While this fact was the motivation behind 
our construction, one should be able to understand our construction without reading this 
section. 

Consider a circuit C that takes as input some bits Xi, . . .,x m , and produces as output 
bits pi, . . .,p n such that the words Xi, . . . , x m ,pi, . . .,p n form a good error-correcting code. 
This means that there is a constant 8 such that even if we erase 1 any 8m of the input 
bits and any 8n of the output bits, we can still recover the erased 8m input bits. We will 
show that this means that there must be gate-disjoint paths from the erased inputs to some 
subset of the un-erased outputs. 

Assume that we cannot find 8m vertex-disjoint paths from the erased inputs to the un- 
erased outputs. Then, Menger's Theorem implies that there is some set of 8m — 1 gates in 
the circuit such that all paths in the circuit from the erased inputs to the un-erased outputs 
must go through these gates. This contradicts our assumption that it is possible to recover 
the values of the erased inputs because there are 8m bits of information in the erased input 
gates, but only 8m — 1 bits of information can get through to the un-erased output gates. 

Thus, we see that vertex disjoint paths can be drawn in the underlying graph from 
any 8m input gates into any (1 — 8)n output gates. While this property is not quite 
as strong as the property required of superconcentrators, it is sufficiently close that we 



Usually, we discuss errors in which a bit's value is flipped. It is also possible to consider the case in 
which no value is received for some bit. In this case, the decoder knows that the value of the bit has been 
lost. These errors are called erasure errors. Any error-correcting code that can tolerate the first type of 
error can also tolerate erasure errors. If one is uncomfortable with erasure errors, then just flip a coin and 
assign its value to each erased bit. One will probably be left with half as many errors of the first type. 
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decided that the easiest way to create linear-size encoding circuits would be to base them 
on Pippenger's [Pip77] construction of linear- size superconcentrators. 

3.2 Error-reducing codes 

In this section, we introduce the concept of an error-reducing code. While we are not sure 
if this idea will have practical applications, it will be useful for understanding our main 
construction. 

We will define an error-reducing code of rate r < 1, error-reduction e < 1, and reducible 
distance S < 1 to be the image of a function 

/:{0,l} rn -{0,l} n 



such that there exists a function 

ff:{0,l} n -{0,l}™ 
such that for all x £ {0, 1}™ and z G {0, 1}" 

d(f(x),z)<Sn =>■ d(x,g(z)) < ed(f(x),z). 

f is the encoding function, and g is the decoding (error-reduction) function. 

To construct an error-reducing code, we will modify the construction of expander codes 
from Chapter 2. Let B be an unbalanced bipartite expander graph with n nodes of degree 
d on one side and ra/2 nodes of degree 2d on the other. We will turn this graph into a 
circuit by directing all the edges from the large side of the graph to the small side, letting 
the nodes on the large side be the input gates, and letting the nodes on the small side be 
parity gates 2 (see Figure 3-1). These parity gates are the outputs of the circuit. 
Warning: The pictures that appear in this chapter are very similar to those that appeared in 
Chapter 2, but their meaning is different! In Chapter 2, the nodes on the right-hand side of 



A parity gate computes the sum modulo 2 of its inputs. 
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Figure 3-1: A circuit that encodes an error-reducing code. 

the bipartite graphs represented restrictions of the nodes on the left-hand side. In this chapter, 
the nodes on the right-hand size of the bipartite graphs have values that are determined by the 
nodes on the left-hand side. 

We now use this circuit to define a code lZ„ t d of rate 2/3 by placing the message bits 
at the inputs to the circuit and using the outputs of the parity gates as the check bits. 
The code we thereby obtain is a horrible error- correcting code: it has a word of weight 
d + 1 (see Figure 3-2). However, if the graph is a good expander graph, then this code is 




Figure 3-2: A low-weight codeword: only one input bit is 1, and only those parity gates 
that read this bit are 1; all others are 0. 



a good error-reducing code. It is obvious that we can encode this code in linear time (we 
need merely compute the values of the parity gates, each of which has a constant number 
of inputs). We will now show that it is possible to perform error-reduction on this code in 
linear time. 
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The decoder naturally associates each bit of the word that it receives with one of the 
gates in the encoding circuit. We will say that a parity gate in the circuit is satisfied by a 
word if the bit associated with the gate is the parity of the bits associated with its inputs. 
Otherwise, we will say that it is unsatisfied (see Figure 3-3). The decoder will successively 





(a) (b) 

Figure 3-3: (a) is a satisfied parity gate, (b) is unsatisfied. 

flip the bits associated with the input gates in an effort to decrease the number of unsatisfied 
parity gates. 

Sequential error-reduction algorithm: 

• If there is an input that is an input to more unsatisfied than satisfied parity gates, 
then flip the value of that input. 

• Repeat until no such inputs remain. 

This algorithm is essentially the same as the sequential expander-code decoding algorithm 
of Section 2.3, so it is easy to implement it so that it takes constant time for each iteration. 
At each iteration, it decreases the total number of unsatisfied parity gates, so it can run for 
at most a linear number of iterations. 

Lemma 3.2.1 Let lZ„ t d be derived from a degree (d,2d) bipartite graph between a set of 
n inputs and ra/2 parity gates such that all sets of at most an inputs expand by a factor of 
at least (|d + l). Assume that the sequential error-reduction algorithm is given a word that 
resembles a codeword o^lZ nd except that at most an/2 of the inputs have been corrupted and 
at most an/2 of the gates have been corrupted. Then, after the termination of the sequential 
error-reduction algorithm, at most an/4 of the inputs will be corrupted. 
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Proof: We will let V denote the corrupted inputs, v the size of V, u the number of 
unsatisfied parity gates with inputs in V , and s the number of satisfied parity gates with 
inputs in V. We will view the pair (u,v) as the state of the algorithm. We will first show 
that if an/4 < v < an, then there is some input in more unsatisfied than satisfied parity 
gates. The expansion of the graph implies that 

u + s > (-d+ljv. (3.1) 

Each gate with an input in V accounts for at least one wire leaving V. It is possible 
that as many as an/2 of the satisfied parity gates with inputs in V are satisfied because 
they have only one wire from V , but they have been corrupted. The rest must have two 
wires from V. By counting the dv wires leaving V, we obtain 

dv > u + s + (s - an/2) =>• dv + an/2 > u + 2s (3.2) 

Combining equations (3.1) and (3.2), we find 



s < ( -d- 1] v + an/2, 
(-d+2j v- an/2. 



and 
u > ( -d+2 )v- an/2. (3.3) 



When an > v > an/4, we have u > dv/2, so there must be some input in more unsatisfied 
than satisfied parity gates. 

To show that the algorithm must terminate with v < an/4, we show that v must always 
be less than an. We assume that when the algorithm begins v < an/2 and therefore 
u < dan/2 + an/2. As the algorithm proceeds, u must steadily decrease. However, if the 
algorithm is ever in a state (u,v) in which v = an, then equation (3.3) would imply that 
u > dan/2 + 3cra/2, which would be a contradiction. 

Thus, the algorithm must always maintain the condition that v < an. This implies that 
the algorithm cannot terminate unless it is in a state in which v < an/4. ■ 

We have proved that lZ„ t d is an error-reducing code of rate 2/3 and error-reduction 1/2. 
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It is also possible to perform error-reduction on this code in parallel. 
Parallel error-reduction algorithm 

• For each input, count the number of unsatisfied parity gates to which it is an input. 

• For each input that is an input to more unsatisfied than satisfied parity gates, flip the 
value of that input. 

It is easy to implement this algorithm as a constant-depth circuit of linear size. 

Lemma 3.2.2 Let lZ„ t d be derived from a degree (d,2d) bipartite graph between a set of n 
inputs and ra/2 parity gates such that all sets of at most an inputs expand by a factor of at 
least (| + e) d, for any e > 2/d. Assume that the parallel error-reduction algorithm is given a 
word that resembles a codeword of lZ n d except that at most v < an/2 of the inputs have been 
corrupted, and at most b < an/2 of the gates have been corrupted. Then, after the execution 
of the parallel error-reduction algorithm, at most 

v + ^(6 + 8e) t , 
d — -. (3.4) 

of the inputs will be corrupted. 

Proof: We will let V denote the set of corrupted inputs, F the set of corrupted inputs 
that fail to flip, and C the set of inputs that were originally clean, but which become 
corrupted by the parallel error-reduction algorithm. We will let N(V), the neighbors of V, 
denote the set of parity gates that contain inputs in V. We will let v = \V\, 4>v = \F\, 
jv= \C\, and Sdv = \N(V)\. 

We begin by obtaining a bound on (f> in terms of 8. Every input in F is an input to at 
least as many satisfied as unsatisfied parity gates. At most b of these satisfied parity gates 
are satisfied because they have been corrupted. Thus, at least ^- — b of the wires leaving 
F end in a parity gate that contains a wire from another element of V. Thus, the set V 

can have at most 

d(f>v b 

dv 1 — 

4 2 
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neighbors. Because we have set the number of neighbors of V to be 8dv, we obtain 

d(f>v b 



Sdv < dv 



4 2 



dv 
Next, we will bound 7 in terms of 8 by showing that 



dvcb , „. , b 

-J- < (l-6)dv + - 

<f> < 4(1-*) + ^ (3.5) 



7 <^t±t±. (3.6) 



4 



Assume by way of contradiction that this is false, and let C" be a subset of C of size exactly 
— 1,^ — — • Each input in C is an input to at least d/2 unsatisfied parity gates. At most b 
of these gates can be unsatisfied because their parity gate has been corrupted. The others 
must be unsatisfied because they have an input in V. Thus, the number of parity gates 
containing inputs in the set V U G" is at most 

d6v + -\C'\ + b. 

We will set e > 2/d, which will imply that \C U V\ < an, so this set must expand by a 
factor of at least (| + e). Thus, we obtain 



(^ + ^\C'uV\<d8v + ^\C'\ + b, 



which contradicts our assumption about the size of C" . 

By combining equations (3.5) and (3.6), we find that the number of corrupted inputs 
after an execution of the parallel error-reduction algorithm is at most 

(^ + 1 )v < v S ~(\ +e) + ^ +4(1-8) + ^- 
t,(I + 3e-4e«) + i+(i + e)f 



k + < 



l + 4e 



3.3 
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message parity 
bits bits 




Good Code 



Figure 3-4: A good code embedded in an error-reduction code. 

We can iterate this algorithm a constant number of times in order to further reduce the 
number of corrupted input bits. 



3.3 Error-correcting codes 



The main idea in our construction of linear-time encodable and decodable error-correcting 
codes is to use the linear-time encodable and decodable error-reducing codes recursively. 
Imagine what happens when we take a good error- correcting code of length n and use the 
words of this code as the message bits of an error-reducing code (See Figure 3-4). We now 
have an error-correcting code of greater length with a higher error-tolerance; however, it has 
the same number of message bits as the original code. To increase the number of message 
bits in the code, we will create a new set of more message bits, and encode these message 
bits in an error-reduction code. We then use the check bits of this error-reduction code as 
the message bits of the error-correcting code we just constructed (See Figure 3-5). 

When we apply this construction recursively, we find that not only have we defined 
the error-correcting code, but we have created a linear-size circuit that encodes the error- 
correcting code. Moreover, the output of each gate of this circuit is a check bit of the 
error-correcting code. This will be true with one small exception: we should choose a 
better base case for our recursion. The performance of our code will be dictated by the 
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message parity 
bits bits 





Good Code 



(a) 



(b) 



Figure 3-5: The recursive construction of C\. (a) is the error-reducing code on the new 
message bits, (b) is the error-reducing code placed on top of the error- correcting code. 

quality of the code that we choose as our base. Thus, we may want to choose a particularly 
good code of small block length. Another constraint is that we don't know that we will be 
able to find good expander graphs of small size. However, there definitely is some constant 
size after which we will be able to find good expander graphs, and which we will choose to 
be the block length of our base code. 

We will now present a formal description of one family of superconcentrator codes. We 
provide this description by describing the encoding circuits for these codes. 

Description of superconcentrator codes: 

• Choose absolute constants b and d. 

• Choose a code Cb of length 4 • 2 6 , rate 1/4, and as large minimum distance as possible. 

• Let C'b be a circuit that takes 2 6 bits as input and produces 3 • 2 6 bits as output so that 
these bits taken together form a codeword of Cb- (The 2 6 inputs bits are the message bits 
of the code, and the others are the check bits.) 



• For k > 6, let R k and R' k be circuits that encode an error-reduction code of rate 2/3 with 
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2 k message bits and 2 fe /2 check bits, as described in Section 3.2. 

• To form circuit C\ from Cj,-i, take a copy of R k and use the inputs of R k as the inputs 
of C\. Add Cu-i to the circuit by identifying the output gates of R k with the inputs of 
Cu-i- Finally, attach a copy of R' k+1 by identifying all the input and output gates of the 
copy of Cu-i with the inputs of R' k+1 . The output gates of C\ will be all the input and 
output gates of Cu-i along with the output gates of R' k+1 (See Figure 3-5). 

• Let Cu be the rate 1/4 code obtained by taking 2 h message bits, feeding them into C\, 
and using the 3 • 2 h output bits as the parity checks of the code. 

We can decode these codes in linear sequential time. 
Sequential superconcentrator code decoding algorithm: 

• If k = b, then decode C'b using an arbitrary decoding algorithm. 

• If k > 6, then apply the sequential error-reduction algorithm to the nodes in the R' k+1 - 
Now, recursively decode the nodes in the copy of Cu-i using the sequential decoding 
algorithm for Cu-i- Finish by applying the sequential error-reduction algorithm to the 
copy of R k . 

Theorem 3.3.1 If the superconcentrator code C k is constructed from degree (d,2d) graphs 
such that in each graph, every at most a fraction of inputs expands by a factor of at least 
(|rf+ 1), and if C fo is chosen to be a code in which any a/2 fraction of errors can be corrected, 
then the sequential superconcentrator code decoding algorithm will correct up to an a/8 fraction 
of errors and will run in linear time. 

Proof: We assume that there are at most a2 k /2 errors in the nodes of C\. By Lemma 3.2.1, 
after we apply the sequential error-reduction algorithm R' k+1 , there will be at most a2 k /4 
errors in the nodes of the copy of Cu-i- We can now assume by induction that the de- 
coding algorithm for Cu-i will correct all the errors in its input and output nodes. As the 
input nodes of Cu-i are now the check bits of the error-reduction code lZ k corresponding 
to the message originally contained at the inputs of the copy of R k , and there are at most 
a2 k /2 errors in these message bits, we can use the sequential error-reduction algorithm to 
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correct all the errors in the input nodes of R k (This can be easily observed from the proof 
of Lemma 3.2.1, or from the analysis of the sequential expander code decoding algorithm 
in Theorem 2.3.1). Since the inputs of R k are the inputs of C\, we have removed all the 
errors from the message bits of the code. 

To see that this algorithm runs in linear time, observe that each error-reduction step 
runs in time that is linear in the number of bits that it is acting on, and each step acts on 
half as many bits as the previous step did. ■ 

It is easy to see that there is a constant a that satisfies the requirements of Theorem 3.3.1, 
but we will not attempt to optimize the constant here. We will note that the main constraint 
on the constant is in the analysis of the quality of expansion obtained by a randomly chosen 
graph. 

Remark 3.3.2 We have only constructed codes of lengths 2 k where k is an integer. It is easy 
to use similar techniques to construct codes of other lengths. 

We need to be slightly trickier to decode the superconcentrator codes in parallel loga- 
rithmic time. The problem that we must overcome is that if we iterate the parallel error- 
reduction algorithm enough times to remove all the errors from the input bits of C 8 -, we 
will need to go through 0(i) iterations. If we did this for each C 8 -, then we would have an 
0(log 2 n) time algorithm. To overcome this problem, we will perform the error-reductions 
from the input bits of C 8 -_i to the input bits of C 8 - simultaneously for all i. Thus, while the 
input gates of C 8 -_i are being used to reduce the errors in the input gates of C 8 -, the input 
gates in C 8 - are being used to reduce the errors in the input gates of Cj+i. 

In order to show that the reduction of errors of the bits of C 8 - using the output bits of 
R'i+i works, we will assume e = | + e', for e' > and d > 16. We now wish to observe that 
if b < an/2, and an/4 < v < an/2, then after one round of the parallel error-reduction 
algorithm, v will decrease by a constant multiplicative factor. From equation (3.4), we can 
see that this constant factor will be bounded by the decrease that occurs when v = an/4 
and b = an/2. By plugging these values into equation (3.4), we can see that this constant 
is less than 1. We now know that if v < an/2 and b < an/2, then after a constant number 
of rounds, we will have v < an/4. Let c be this constant. 
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To prove the correctness of the error-reductions on the input nodes of the Cj's, we will 
assume that there is a w < an/2 such that v < w and b < w/2. By substituting into 
equation (3.4), we find that after one decoding round the number of corrupted inputs is 
bounded by 

l+fl + ^ + ^N / ii 

d 



i ,d'd 2 'd.. . 

w _ . 1fi . , , < W 1 



T + 4e' / I 1 + If + 4e' 



Let 7= (1- i + j +4£ ' J- 

We can now state the parallel superconcentrator code decoding algorithm. 

Parallel superconcentrator code decoding algorithm: 

• For i = k — 1 to b: Apply c rounds of the parallel error-reduction algorithm using the 
inputs and outputs of C 8 - as the message bits, and the outputs of R' k+l to which they are 
attached as the check bits. 

• Decode the errors in C'b using any decoding algorithm. 

• For logj / 2 k rounds: Apply the parallel error-reduction algorithm to the copy of R t 
between the inputs of C 8 - and the inputs nodes of C 8 - + i, simultaneously for all b < i < k — 1. 

Theorem 3.3.3 If the superconcentrator code Cu is constructed from degree (d,2d) graphs 
such that in each graph, every at most a fraction of inputs expands by a factor of at least 
(| + 1 + e')d, for some e' > and d > 16, and if Cb is chosen to be a code in which any a/2 
fraction of errors can be corrected, then the parallel superconcentrator code decoding algorithm 
will correct up to an a/8 fraction of errors in logarithmic time with a linear number of processors. 

Proof: We begin by assuming that there are at most a2 k /2 errors in the bits of C\. 
After we apply c rounds of the parallel error-reduction algorithm to Rk+i, there will be at 
most a2 k /A errors in the bits of the copy of Cu-i- Similarly, after we have finished the i-th 
stage of the algorithm, there will be at most a2 k /2 l+1 errors in the bits of Cu-i- Thus, 
Ci, will have fewer than a2 b /2 errors, so the decoding algorithm for C'b will correct all the 
errors in Ch. 
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We can now move on to the decoding of the input bits of the Cj's. We have already 
observed that the input bits of C 8 - have at most a2 l /2 errors and that the input bits of C'b are 
free of error. Thus, after we apply one round of the error- reduction algorithm simultaneously 
to ah of the _R 8 -'s, the input bits of C 8 - will have at most 7ci2 8 /2 errors. Similarly, after we 
apply the error-reduction algorithm for logj / 2 k rounds, there will be no more errors in any 
of the input nodes of C\. ■ 

3.4 Explicit Constructions 

The relation between our hrst constructions of superconcentrator codes and our explicit 
constructions is analogous to the relation between our constructions of expander codes in 
Sections 2.3 and 2.5. We will begin by generalizing our construction of error-reducing codes. 

If we view the inputs to one of the parity gates in Section 3.2 as the message bits of 
a code, then we can view the parity gate as computing a check bit associated with those 
message bits. This bit is chosen so that when it is considered with the input bits, these 
bits form a word in the code of even weight words. To generalize this construction, we will 
associate a collection of parity gates with each node on the small side of the bipartite graph, 
and we will connect them to their inputs so that these gates compute the check bits of a 
codeword in some more complex error-correcting code. We call such a collection of parity 
gates a cluster. 

As in Section 2.5, we will make use of a family of good expander graphs, such as those 
described in Section 2.4. 

We now define the circuits R(G,C) that will encode our explicit error-reduction codes. 

Explicit error-reduction codes: 

• Let G be a rf-regular graph on n vertices, and let C be a linear error-correcting code 
of block-length / with d message bits. Let B be the edge- vertex incidence graph of G. 

• The circuit R(G,C) will have dn/2 input gates and (/ — d)n parity gates. 

• Each node on the large side of B will correspond to an input of R(G,C). The parity 
gates are arranged into clusters of size / — d, and each cluster is identified with one of 
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the nodes on the small side of B. The input gates that are neighbors of a cluster will 
be called the inputs of the cluster. 

• The parity gates are connected to the input gates so that for each cluster, if the inputs 
of that cluster are the message bits of a codeword of C, then the parity gates in the 
cluster compute the check bits of that codeword. 

• Let 1Z(G,C) denote the code obtained by using the inputs of R(G,C) as message bits 
and the outputs of the circuit as check bits. 

To prove that 1Z(G,C) is a good error-reduction code if G is a good expander graph, we 
will use Lemma 2.4.6. 

To perform error-reduction on 1Z(G,C), we will associate each bit of a received word 
with an input or gate of R(G,C), as we did in Section 3.2. 

Parallel explicit error-reduction algorithm: 

• In parallel, for each cluster, if the bits associated with the inputs and gates of a cluster 
are within f of a codeword of C, then send a "flip" message to every input that needs 
to be flipped to obtain that codeword. 

• In parallel, every input that receives the message "flip", flips its value. 

We can now prove a lemma for our explicit construction that is analogous to Lemma 3.2.2. 

Lemma 3.4.1 Let {G„ t d} be a family of good expander graphs. There exist constants d and g 
such that if the parallel explicit error-reduction algorithm is given as input a word that resembles 
a codeword of lZ(G„ t d,C) except that for some w < — ra| 

• at most j < v < 2w inputs are corrupted and at most b < w parity gates are corrupted, 
then after the execution of the algorithm, the number of corrupted inputs will decrease by a 
constant multiplicative factor, and 

• if at most v < ^ of the inputs are corrupted and at most b < w of the parity gates are 
corrupted, then after the execution of the algorithm, at most ^ inputs will be corrupted. 
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Proof: Let V be the set of v corrupted inputs. Set a and (3 so that v = an^ and 
6 = /3nf. 

We will say that a cluster is confused if it sends a "flip" message to an input that is 
not corrupt. In order for a cluster to be confused, it must have at least yd corrupt inputs 
and gates. Thus, there can be at most 

nf(2a + /3) 
fed 

6 

confused clusters. Each of these can send at most |ed "flip" messages, so at most 

nf(2a + /3) 1 , n$(2a + /3) 

— - — s- — ; • -e« = — 

ied 6 5 

6 

uncorrupted inputs can receive "flip" signals. 

We will call a cluster unhelpful if it has a node of V among its inputs, but it fails to 
send a "flip" signal to that node. There can be at most 

nf(2c* + /3) 

6 

unhelpful clusters. By Lemma 2.4.6, there can be at most 

d I /6a + 3/3\ /6a + 3/3\ X d 
n— iii 



2 \\ e J \ e J d 

inputs both of whose neighbors are unhelpful clusters. 

The total number of corrupted inputs after the algorithm is run will be at most 

d{2a + f3 /6a + 3/3\ 2 /6a + 3/3\A/ 
n- 



2 \ 5 V e / V e d 



Set w = —n^. We want to show that 

g 2 

2a + (3 /6o+_3/3\ 2 / 6ct + 3/3 \ X d 
for (3 G [0, — ] and a 6 [-, — ]. Because the function in consideration is decreasing in /3, and 
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quadratic in a with positive coefficients, it suffices to consider the function at the points 
a G 1 1- , — \ and 8 = —. For a = |- , we need 









e 2 /6e\ 2 6e 
10# V 5 ) 9 




and for a = 


2£ 

g '■ 


we need 


e 2 A5e\ 2 15e 
9 \ 9 J 9 





We now see that, given e, we can choose g and then d so that both of these inequaiities 
hoid. For iower vaiues of w, the ciaim follows from a similar analysis. 

To prove the second claim, it suffices to observe that the function in question is decreas- 
ing in a for a > 0. ■ 

We will find it convenient to let C be a code of length 5d/4 and rate 4/5. By Theo- 
rem 1.4.1, there exists a code with length |d, rate |, and relative minimum distance e for 
H(e) < 1/5. 

To obtain an explicit construction of superconcentrator codes, we will need expander 
graphs of very particular sizes. Fortunately, we demonstrated in Section 2.4.1 how to con- 
struct good expanders of every sufficiently large number of vertices. By Proposition 2.4.19 
and Remark 2.4.20, we can construct bipartite graphs between any number of degree-2 
vertices and a set of vertices in which each vertex has degree d — 1 or d and such that the 
graphs have expansion properties like those graphs used in Lemma 3.4.1. The effect of the 
differing degrees of the vertices on the small side of the graph can be made negligible by 
slightly altering some of the codes associated with some of these vertices. Thus, we can 
assume that we can obtain good error-reduction codes of any sufficiently large size, and 
that they perform as described in Lemma 3.4.1. 

Explicit superconcentrator codes: 

• Choose a family of good expander graphs, Q = {G„ t d} such that the subfamily for each d 
contains a dense subsequence. 

• Choose a constant d and a code C'd of rate 4/5, length 5d/4 and minimum relative distance 
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e where e > H(l/5). (As described in the previous paragraph, we will assume that Q 
contains a graph of every sufficiently large number of vertices in which every vertex has 
degree d or d — I.) 

• Choose a constant b and a code Cb of length 4-2 6 , rate f/4, and as large minimum distance 
as possible. Let C'b be a circuit that takes 2 6 bits as input and produces 3 • 2 6 bits as 
output so that these bits taken together form a codeword of Cb- (The 2 6 inputs bits are 
the message bits of the code, and the others are the check bits.) 

• For k > 6, let R k and R' k be the circuits RiG^^^Cd) defined earlier in this section. We 
have chosen the code d so that this circuit has 2 k input gates and 2 fe /2 parity gates (If 
the graph isn't rf-regular, then we might have to modify the codes at the clusters slightly 
to make sure that we have 2 fe /2 parity gates, but this effect is insignificant). 

• To form circuit C k from C^-i, take a copy of R k and use the inputs of R k as the inputs 
of C k . Add C k -i to the circuit by identifying the output gates of R k with the inputs of 
C k -i- Finally, attach a copy of R' k+1 by identifying all the input and output gates of the 
copy of C k -i with the inputs of R' k+1 . The output gates of C k will be all the input and 
output gates of C k -i along with the output gates of R' k+1 . 

• Let C k be the code obtained by taking 2 k message bits, feeding them into C k , and using 
the 3 • 2 k output bits as the parity bits of the code. 

Lemma 3.4.1 implies that there is a constant c such that if v < w and b < w, where 
w < 2 k e 2 /g, then after c executions of the parallel explicit error-reduction algorithm, we 
will have at most w/2 corrupted inputs. Similarly, there exits a constant 7 < I such that if 
v < 2w and b < w, then after the execution of the error-reduction algorithm there will be 
at most jv corrupted inputs. 

Parallel explicit error-correction algorithm: 

• Identical to the algorithm presented in Section 3.3, but using the definitions of C k 
and R k presented in this section. 

Theorem 3.4.2 There exist settings of the parameters of the constructions of the rate 1/4 
superconcentrator codes C k presented in this section, as well as settings of e and g, such that the 
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parallel explicit superconcentrator code decoding algorithm will correct up to an e 2 /4g fraction 
of errors in logarithmic time with a linear number of processors. Moreover, this algorithm can 
be simulated in linear sequential time. 

Proof: We use Theorem 2.4.7, Theorem 2.4.15, Proposition 2.4.19, and Remark 2.4.20 
to show that there exist expander graphs in the appropriate sizes to construct the 2/3-rate 
error-reduction codes R k . The similarity of Proposition 2.4.19 to Lemma 2.4.6 implies that 
these error-reduction codes will perform as described in Lemma 3.4.1. The rest of the proof 
of the first claim is identical to the proof of Theorem 3.3.3. 

By keeping track of which clusters of parity gates are "unsatisfied" , it is fairly simple 
to simulate this algorithm in linear time on a sequential machine (assuming that pointer 
references have unit cost). The idea is similar to that used in Theorem 2.5.2. ■ 

Remark 3.4.3 One can vary this construction to obtain asymptotically good linear-time en- 
codable and decodable codes of any constant rate. To achieve rates exceeding 1/4, one need 
merely vary the ratios of the number of gates between successive levels of the construction and 
possibly omit the last few error-reduction codes. 

Remark 3.4.4 We can replace the assumption that pointer references have unit cost with the 
assumption that retrieving O(logra) bits stored at a pointer has O(logra) cost. We do this by 
concatenating the superconcentrator codes with some good code of length O(logra). The inner 
code can be decoded by O(ra/logra) table look-ups (or it can be decoded recursively) and the 
outer code now contains O(ra/logra) symbols of length O(logra). The outer code can now be 
decoded in linear time using O(ra/logra) pointer references if we use a natural generalization of 
the superconcentrator codes to alphabets of size O(logra). 

3.5 Some thoughts on implementation and future work 

Superconcentrator and expander codes will probably only be useful in coding schemes using 
long block lengths; for small block lengths, many better special codes are known. The trade- 
off of rate versus error tolerance of the superconcentrator codes that we have constructed is 
not nearly as good as the tradeoff obtained by the expander codes constructed in Chapter 2. 
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In our view, we have added a lot of extra redundant information in order to make the codes 
encodable and decodable in linear time. Thus, we do not feel that it would be appropriate 
to use these codes on a channel in which bandwidth is at a premium. However, if one has a 
fast channel with bandwidth to spare, then it might be reasonable to use the superconcen- 
trator codes that we have constructed here. In particular, if one has a fast channel, then 
the computational work needed to encode and decode the error-correcting codes used can 
be a greater bottleneck in communication than the redundancy of the code. For an analysis 
of potential applications of long block length error-correcting codes, we direct the reader 
to [Bie92]. 

Those who desire to implement these codes should consider the issues discussed in 
Section 2.6. They should also be aware that our construction was optimized for ease of 
explication and that there are many parameters that one can vary which we have not 
discussed. For example, it might be advantageous to use error-reduction codes of rates 
other than 2/3 in the recursive construction. 

However, the reason that we did not attempt to optimize the tradeoff of rate versus error 
tolerance in our construction is that we believe that a new idea will be required to construct 
codes of rate and error tolerance competitive with the Gilbert-Varshamov bound. That is 
our goal: to obtain linear-time encodable and decodable error-correcting codes with rate 
and error tolerance as good as the best known codes, whatever their algorithmic efficiency. 
Our feeling is that this goal is achievable and that the work in this chapter constitutes an 
important step towards it, but that it cannot be achieved by simple modifications of our 
current construction. 



Chapter 4 



Holographic Proofs 



A holographic proof system is a system of writing and checking proofs in which one can 
probabilistically check the validity of a proof by examining only a few of its bits. If someone 
tells you that they have written a holographic proof of a theorem, then there is a simple 
procedure by which you can randomly choose a few bits of the proof to examine, perform 
a simple computation on these bits, and decide whether to accept or reject the proof. You 
will always accept a valid holographic proof. Conversely, if the probability that you accept 
is greater than 1/2, then the proof that you examined must be very close to a holographic 
proof of the theorem; thus, a proof of the theorem does exist. You can repeat this test 
a few times to obtain an arbitrarily high degree of confidence that the theorem is true. 
Remarkably, any theorem that has a conventional proof has a holographic proof. 

Constructions of holographic proofs 1 , which are also known as transparent proofs and 
probabilistically checkable proofs, were developed in a series of papers [BFL91, BFLS91, 
FGL+91, AS92b, ALM+92] which culminated in the following theorem: 

Theorem 4.0.1 [PCP-Theorem] Let E be an asymptotically good error-correcting code of 



Some authors use the terms holographic and transparentto describe proof systems in which the theorem to 
be proved is presented in an encoded format. This encoding is necessary if the proof checker is to run in poly- 
logarithmic time or read only a constant number of bits of the theorem. They use the term probabilistically 
checkable to describe systems in which the proof checker is allowed to read the entire statement of the theorem 
and run in polynomial time. The purpose of the encoded theorems is discussed further in Section 4.4. 
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minimum relative distance 8 such that there is a polynomial-time algorithm that will determine 
whether a given word is a codeword of E. Then, for any constant k, there exists a probabilistic 
algorithm V that expects k + 2 inputs, (Y ,Yi, . . . , !&, II), and runs in time log^ ' n such that 

• V only reads a constant number of bits from each of its k + 2 inputs; 

• if Yq = E(C) for some circuit C that expects k inputs of lengths rii,...,n k and if 
Yi = E(Xi) where |X,| = n i: for each i, and C accepts on input (X l7 . . . ,X fe ), then 
there is a string II such that V accepts on these inputs with probability 1; moreover, this 
string II can be computed from C and X l7 . . . ,X fe in time |II| log^ ' |II|; 

• if the probability that V accepts on inputs (Y , . . . , Y k , II) is greater than 1/2, then there 
exists a circuit C that accepts k inputs of lengths (ra l7 . . ., n k ) and strings X l7 . . . ,X k of 
the corresponding lengths such that C accepts on input (X l7 . . . , X k ) and d(E(C),Y ) < 8/3 
and d(E(Xi),Yi) < 8/3 for each i; 



V only uses O(log \C\) random bits; and, II has size \C\ 



0(1) 



We will explore why this theorem takes the form that it does later in this chapter. To 
see how it implies a statement similar to the informal statement given at the start of this 
section, we draw the following corollary: 

Corollary 4.0.2 There exists a probabilistic polynomial-time turing machine V that accepts 
two inputs, a description of a circuit C and a witness II. V reads only a constant number of 
bits of its input II and uses only O(log \C\) random bits. If there is an assignment that satisfies 
C , then there is an input II that will cause V to accept with probability 1. Conversely, if there 
is an assignment of II that causes V to accept with probability greater than 1/2, then C has a 
satisfying assignment. 

The witness II in this corollary is a holographic proof that C has a satisfying assignment. 
To derive our assertion about proofs of theorems, we observe that the problem of deciding 
whether any statement has a proof of a given length can be converted into a problem 
of deciding whether a certain circuit has a satisfying assignment. Using the techniques 
of [BFLS91], one can show that the size of this circuit will be greater than the size of the 
statement of the theorem and its proof by at most a poly-logarithmic factor. 
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The main contribution of this chapter, Theorem 4.6.1, is a strengthening of Theo- 
rem 4.0.1 in which the holographic proof, II, has size 0(|C| 1+e ), for any e > 0. The 
size of the proof will depend on the number of queries that the proof checker makes. If 
we allow the proof checker to make as many as O(log \C\) queries, then we will be able to 
construct proofs of size |C|(log |C|)0(i°gi°g|c|). 

4.0.1 Outline of Chapter 

Our construction of holographic proofs follows the general plan used in [BFLS91]. The 
authors of that paper explained how to construct holographic proofs of size 0(|C| 1+e ), for 
any e > 0, in which the proof checker reads O(log \C\) bits of the proof. In order to construct 
such small proofs, they first had to develop an efficient way to translate any proof into a 
simple, well-structured format. In Section 4.3.1, we present a simpler but slightly weaker 
means of achieving this translation. The framework presented in this section should be 
sufficient for most applications. In Section 4.6, we explain how our techniques can be fully 
integrated with the framework of [BFLS91]. 

Our holographic proofs are built from special polynomial error-correcting codes that 
have efficient checkers and verifiers. In Section 4.1, we define checkers and verifiers, and 
develop the terminology we will use to discuss them. 

Section 4.2 is devoted to defining the polynomial codes that we use and to demonstrating 
that they have the checkers and verifiers that we desire. The main statement of this section, 
Theorem 4.2.19, is an improved analysis of the "low-degree testing" used in Arora and 
Safra [AS92b] — it shows that the testing works over a domain whose size is linear in the 
degree being tested. We present the material in this section using the language we developed 
in Section 4.1. 

In Section 4.3, we combine the analysis from Section 4.2 with ideas from [BFLS91], 
[AS92b], and [Sud92] to develop relatively simple holographic proofs that can be checked 
by examining a constant number of segments of the proofs, each of size y^log^ ' n. The 
proofs in this system can be used to provide proofs of many types of statments, including 
circuit satisfiability. This section has three parts. In the first, we present the TVP-complete 
problem upon which we base our proof system. In Sections 4.3.2 and 4.3.3, we provide 
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an algebraic description of the problem. The key to this description is a novel algebraic 
description of a de Bruijn graph, Lemma 4.3.5. This algebraic description is combined with 
the techniques of Section 4.2 to construct holographic proofs in Section 4.3.4. 

In Section 4.4, we recursively apply the holographic proof system of Section 4.3 to itself 
to obtain the first variation of our construction of nearly linear size holographic proofs, 
Theorem 4.4.1. The recursion that we use differs from those in [AS92b] and [ALM+92] in 
that it does not need consistency checking. We do not show that the proofs in this first 
variation have checkers that run in poly-logarithmic time. In Theorem 4.5.1, we show that 
there is an easily computed table of information such that, if the proof checker has access 
to this table, then it can run in poly-logarithmic time. Essentially, this table captures 
computations that the proof checker would perform regardless of its input. That is the 
second variation of our construction. In Section 4.6, we use a technique from [BFLS91] to 
construct checkers that do not need such a table. This statement, Theorem 4.6.1, is the 
final variation of our main theorem. We conclude by stating a weaker but simpler corollary 
of this theorem. 

Since the history of the development of holographic proofs is rather involved, we do not 
explain it here, but refer the reader to one of 

• Sanjeev Arora. Probabilistic Checking of Proofs and Hardness of Approximation Prob- 
lems. PhD thesis, U.C. Berkeley, Aug. 1994. 

• Laszlo Babai. Transparent proofs and limits to approximation. In First European 
Congress of Mathematics: (Paris, July 6-10, 1 992), volume 2, pages 31-92. Birkhauser, 
1994. 

• Oded Goldreich. A taxonomy of proof systems. SIGACT News, 24(4) — 25(1), De- 
cember 1993— March 1994. 

• Madhu Sudan. Efficient checking of polynomials and proofs and the hardness of ap- 
proximation problems. PhD thesis, U.C. Berkeley, Oct. 1992. 
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4.1 Checkable and verifiable codes 

In this section, we define checkable and verifiable codes. Such codes have played an im- 
portant role in the construction of holographic proofs and were used implicitly in the 
work of [LFKN90] and [BFL91]. However, we first saw them explicitly defined in [Bab94] 
and [BF93]. 

Definition 4.1.1 A checker for a family of codes \C{\ of lengths {n 8 -} and relative minimum 
distance 8 over an alphabet X is a probabilistic algorithm such that 

• The checker accepts each word of C, with probability 1. 

• If the probability that the checker accepts the word w of length ra, is greater than 1/2, 
then there is a unique codeword of C, of relative minimum distance at most 8/3 from w. 

We will usually measure the performance of a checker by the number of bits of its input 
that it reads. Occasionally, we consider the computational complexity of the checker. 

One could imagine using a checker in a communication system in which one has the 
option of requesting the retransmission of a message. A checker would be able to read 
only a constant number of bits of a received signal and then estimate the chance that a 
decoder will be able to correct its errors. If the checker determines that it is unlikely that 
the decoder will be able to correct the errors, then the checker can instantly request a 
retransmission of that block, before the decoder has wasted its time trying to decode the 
message. Unfortunately, all known codes with such checkers have rates that approach zero. 
Thus, current constructions would be inappropriate for use in real communication systems. 

Usually, we will impose more structure on the bits of a codeword and the ways in which a 
checker can access them. We will partition the bits of a code into segments and insist that a 
checker read all the bits of a segment if it reads any one. For example, if s is a segment that 
contains the i-th through j'-bits, and if x = (xi, . . .,x n ) is a word, then the value of x on 
segment s is (a;,, ... , Xj). If an algorithm reads a;,, we will charge it for reading x i+ i, . . . , Xj 
as well. Note that we define segements to be disjoint sets of bit-positions. When we describe 
a checker of a code whose bits are broken into segments, we will count how many segments 
of the code a checker reads and how many bits those segments contain. 
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Remark 4.1.2 This division of the bits into segments can exist purely in the mind of the 
checker. It does not imply that any formatting symbols appear in the data. We describe the 
bits of a code as being broken into segments to indicate the way in which our algorithms will 
access the bits of that code. 

The checkable codes in holographic proofs are derived from verifiable codes. In addition 
to being checkable, a verifiable code has the property that one can probabilistically verify 
that individual bits of a received word have not been corrupted. 

Definition 4.1.3 Let {C,} be a family of codes of lengths {n 8 -} and relative minimum distance 
8 over an alphabet X such that the bits of each code are partitioned into segments. A verifier 
for {Cj} is a probabilistic algorithm that takes a word w and the name of a segment s as input 
such that 

• if w is a word of d, then the verifier accepts, and 

• if the probability that the verifier accepts a word w (of length ra,) on segment s is greater 
than 1/2, then there is a unique codeword c of C, of relative minimum distance at most 
8/3 from w such that c has the same value as w on segment s. 

As with checkable codes, we will measure the performance of a verifier by the number 
of segments of the code that it reads and by how many bits those segments contain. 

We like to view the set of holographic proofs of a statement as being a checkable code 
with semantic restrictions. 2 Consider a code consisting of the proofs of a given length of a 
certain statement. If the statement is false or if it has no proofs of that length, then the 
code will be empty, and this is OK. Now, assume that this code also has a checker that 
reads only a constant number of bits of its input. The checker will accept every codeword 
in the code, and if it accepts some word with high probability, then that word must be close 
to a codeword. We have just described a holographic proof system. 

Current constructions of holographic proofs have verifiers that read only a constant 
number of bits of their input. Thus, as one checks a holographic proof that a circuit is 



Consider a circuit that has many satisfying assignments. For each of these satisfying assignments, we 
obtain a different holographic proof that the circuit is satisfiable. We view this set of proofs as words in an 
error-correcting code. 
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satisfied, one can probabilistically obtain any bit of the satisfying assignment of the circuit 
while only reading a constant number of bits of the proof. This fact will be very important 
to us in Section 4.4. 
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4.2 Bi and Trivariate codes 

A remarkable property of holographic proofs is that they enable us to demonstrate prop- 
erties of some object while only examining a few bits of that object. In this section, we 
will take a first step in this direction by presenting a constant rate code of length n that 
can be checked and verified by examining 0(y/n) of its bits. Actually, the code that we 
develop will be somewhat stronger than this. The code will be divided into segments. Each 
segment will have size 0(y/n), and we will be able to check and verify the code while only 
examing data from a constant number of segments. We will later use these codes in a 
recursive construction to obtain codes that are checkable by examining fewer bits in more 
segments. Versions of these polynomial codes and their checking and verification algorithms 
first appeared in [AS92b] and [Sud92]. Our contribution is an improvement in their anal- 
ysis (Theorem 4.2.19) which enables us to use versions of these codes that have much less 
redundancy than was previously possible. 

The codes we construct in this section are polynomial codes over a field. We will use 
T to denote this field. It doesn't matter what field we use, so long as it is big enough to 
contain the objects that we describe. 

The codewords in our first code will correspond to polynomials in two variables, say x 
and y, such that their degree in x is bounded by a parameter d and their degree in y is 
bounded by a parameter e. Since we will use such vector spaces often in this chapter, we 
will memorialize their description in a definition: 

Definition 4.2.1 A polynomial p(xi, . . . , x k ) has degree (d l5 . . . , d k ) if the degree of p in x, 
is at most d i: for each i. We do not demand that the <i/s be integers. 

There are a number of ways that we could present a polynomial of degree (d,e). The 
most natural way of presenting such a polynomial would be to write down its coefficients 
(Figure 4-la). Another way of presenting such a polynomial is to choose X C T and Y C T 
so that |X| > d and |Y| > e, and then write down the values of p at each point of 1x7 
(Figure 4-lb) 3 . Both of these presentations involve writing down at least (d + l)(e + 1) 
pieces of information (elements of T). 



The reader should verify that such a presentation uniquely defines the polynomial p. 
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Our presentations of polynomials will contain even more information. While the extra 
information will not be necessary to specify the polynomial, it will be useful when we want 
to establish facts about the polynomial without reading its entire presentation. 

We now define a presentation of a polynomial to be the list of its values over some 
domain, along with the list of univariate polynomials obtained when one of the its variables 
is restricted to a value in that domain (Figure 4-lc). 

Definition 4.2.2 Let p(x, y) be a polynomial of degree (d, e) over a field T ', and let X, Y C T . 

A presentation of p over X xY consists of 

• the list of values of p at each point of X X Y : 

(p(x, y) : x £ X and y £ Y) , and 

• for each x £ X , the coefficients of the univariate degree e polynomial obtained by 
restricting p to x (we can view this as a function from X to the space of degree e 
polynomials in y), and 

• for each y £ Y, the coefficients of the univariate degree d polynomial obtained by 
restricting p to y (which we can view as a function from Y to the space of degree d 
polynomials in x). 

A presentation is viewed as being divided into segments. Each value of p and each univariate 
polynomial listed in the presentation is a separate segment. We refer to X X Y as the domain 
of the presentation. 

Remark 4.2.3 When we write "list of values of p" , we mean that the data should be organized 
into a list in which each element has the same length so that if one wants to look up the value 
of p at (x,y), then one knows instantly where to look in the list. The same should hold for 
the lists of univariate polynomials. Thus, these three lists could be viewed as one function from 
X X Y — ► T followed by a function from X — ► T e+1 followed by a function from Y —^ T d+1 . 

Remark 4.2.4 The definition of a presentation of a degree (d,e) polynomial naturally gen- 
eralizes to degree (d l5 . . . , d k ) polynomials. A presentation of a degree (d l5 . . . , d k ) polynomial 
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Figure 4-1: Three ways to describe a polynomial, c is a presentation 

over a domain X x X • • • X X fe should consist of the list of values of the polynomial over that 
domain, and k lists of the univariate polynomials obtained by restricting the polynomial in all 
but one of its variables. 

Presentations of distinct polynomials over sufficiently large domains are far apart. This 
follows easily from the following lemma by considering the polynomial which is their differ- 
ence. 

Lemma 4.2.5 [Schwartz [Sch80]] Let p be a degree (d l5 . . ., d k ) polynomial over a domain 

V = T>x X • • • X V k where |X>,| = ra, for i = 1 • • -k. If p has more than 

k i 

zeros in D] X ... X V k , then p must be the zero polynomial. 

Proof: We prove this by induction. We already know the base case: a non-zero univariate 
polynomial of degree d can have at most d zeros. Now, assume that we have proved the 
lemma for k — 1. There exist degree (d l5 . . . , d k _i) polynomials p , . . . ,p dk such that 



P{Xi, . . . , X k ) — y ^Pi[Xi, . . . , x k _i)x k . 

8 = 

If one of the p,'s is non-zero, then it is zero for at most a J2 i I 1 — of the values of 
(xi, . . . , x k _i). For the values of (xi, . . . , x k _i) such that it is non-zero, p can be zero 
at most a — fraction of the time. ■ 
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The first thing we will prove about presentations of bivariate polynomials is that if we 
are given some data and we are told that it is a presentation of a bivariate polynomial, 
then we can probablistically check whether it is a presentation of a bivariate polynomial 
while only reading a constant number of segments of the data. It is not possible to prove 
such a statement for presentations over domains that are too small, so our theorem will 
only apply to domains that are larger than the degree of the polynomial by some factor. 
Our contribution is that we prove this for domains whose size is greater than de by only a 
constant factor. Previously, Arora and Safra [AS92b] proved such a statement for domains 
whose size was cubic in de. Sudan [Sud92] later improved this to quadratic. In order to 
obtain nearly-linear size holographic proofs, we needed to improve their bounds. 

In order to state the checking algorithm, we will need to state precisely what we mean 
by "data" that could be a presentation of a bivariate polynomial. The following definition 
essentially describes a string that is of the same length as a presentation of a degree (d, e) 
polynomial. The division of the string into segments is purely for the convenience of our 
description, and places no restriction on the definition. 

Definition 4.2.6 A (d, e)-presentation over X X Y consists of: 

• A string that we view as a list of elements of T ', one for each point of X X Y; we say this 
string assigns an element of T to each point of X X Y; 

• for each x £ X , a string whose length is the same as the length of the description of a 
degree e univariate polynomial over T; and 

• for each y £ Y, a string whose length is the same as the length of the description of a 
degree d univariate polynomial over T . 

We will just write presentation if (d,e) is clear from context. 

Remark 4.2.7 This definition does not actually impose any constraints on the content of the 
(d, e)-presentation. Rather, it should be viewed as a description of how the presentation is 
broken into segments and how those segments will be interpreted by the algorithms that read 
them. 
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Remark 4.2.8 This definition naturally generalizes to a definition of a (d l5 . . . , ^-presentation 
in a fashion analogous to Remark 4.2.4. 

We have defined a (d,e)-presentation so that a presentation of a degree (d,e) polynomial 
is one. We will now state the algorithm for checking whether a (d, e)-presentation is a 
presentation of a degree (d, e) polynomial. 

Bivariate presentation checking algorithm: 

• Choose a point (x, y) uniformly at random from X xY . 

• Examine the value, v, assigned to that point, the string that is assigned to x, and the 
string assigned to y (in a presentation of a degree (d,e) polynomial, these represent 
the value of the polynomial at (x,y), its restriction to x, and its restriction to y). 
Accept if the string assigned to x represents a polynomial that takes the value v when 
evaluated at y and the string assigned to y represents a polynomial that takes the 
value v when evaluated at x. 

The reader should verify that if this algorithm is run on a presentation of a bivariate degree 
(d,e) polynomial on X X Y, then the algorithm will always accept. We will now see that 
the converse of this statement is true. That is, if this algorithm accepts with probability 1, 
then the presentation must be a presentation of a bivariate polynomial of degree (d, e). 

Proposition 4.2.9 [Well-known] Let X = {xi, . . . , x m }, Y = {yi, . . .,y n }, and let d < m 
and e < n. Let f(x,y) be a function onlxF such that for 1 < j ' < n, f(x,yj) agrees on X 
with some degree d polynomial in x, and for 1 < i < m, f(xi,y) agrees on Y with some degree 
e polynomial in y. Then, there exists a polynomial P(x,y) of degree (d,e) such that f(x,y) 
agrees with P(x,y) everywhere on X X Y. 

Proof: Recall that a degree d univariate polynomial is uniquely determined by its values 
at d + 1 points. For 1 < j ' < e + 1, let Pj(x) be the degree d polynomial that agrees with 
f(x, y/). For 1 < j ' < e + 1, let Sj(y) be the degree e polynomial in y such that 

{1, if j = k, and 
0, if 1 < k < e + 1, but j ^ k. 
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We let P(x,y) = YTj=i ^j(y)Pj( x )- It is clear that P has degree (d,e). Moreover, P(x,yj) = 
f(x,yj) for all x £ X and 1 < j ' < d + 1. To see that in fact P(x,y) = f(x,y) for all 
(x,y) G X X Y, observe that P and / agree at e + 1 points in column y. Since / agrees 
with some degree e polynomial in column y, that polynomial must be the restriction of P 
to column y. ■ 

Sections 4.2.1 through 4.2.3 will be devoted to proving that, if the algorithm accepts a 
(d, e)-presentation with probability close to 1, then that presentation must look a lot like 
a presentation of some degree (d, e) polynomial. We formalize the notion of presentation 
being close to a presentation of a degree (d, e) polynomial by: 

Definition 4.2.10 A (d, e)-presentation, P, over a domain X X Y is e-good if there exists a 
degree (d, e)-polynomial p such that the presentation of p over X xY differs from P in at most 
an e fraction of their segments in each list. 

We note that if a presentation P is e-good for a sufficiently small e, then there is a 
unique polynomial p to whose presentation P is close: 

Proposition 4.2.11 Let P be a e-good presentation of a degree (d l5 . . . , d fe ) polynomial over 

a domain T>i X . . . X V k where |X>,| = n i: for i = 1 • • -k. If 

d. 






= 1^ 



then there is a unique polynomial p such that P and the presentation of p differ in at most an 
e fraction of their segments. 

Proof: Assume, by way of contradiction, that there were two degree (d l5 . . .,d k ) poly- 
nomials p and q that agreed with P in all but an e fraction of their segments. Then the 
presentations of p and q agree in all but at most a 2e fraction of their segments. So, p and q 
must have the same values for at least a 2e fraction of the domain. This would imply that 
p — q is zero for a 2e fraction of the domain. However, by Lemma 4.2.5, this would imply 
that p — q = 0, contradicting the assumption that p and q were distinct. ■ 

Our aim is to now prove 
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Lemma 4.2.12 Let P be a (d,e) presentation over a domain X X Y such that |X| > 8d 
and |y| > 8e. If the probability that the bivariate presentation checking algorithm accepts is 
greater than 1 — e, for e < 1/16, then the presentation p is 3e good. That is, the code of 
(d, e)-presentations over the domain X xY has a checker that reads only a constant number 
of segments of its input, each of size 0(y/n). 

Proof: The first part follows from Theorem 4.2.19, which is to be proved in Sections 4.2.1, 
4.2.2, and 4.2.3. An alternative approach to proving this Theorem is outlined in Sec- 
tion 4.2.4. To obtain the checker, it is necessary to run the bivariate presentation checking 
algorithm a constant number of times. ■ 

4.2.1 The First Step 

In our proof of Theorem 4.2.19, we will restrict our attention to the lists of univariate 
polynomials contained within a presentation. In Remark 4.2.3, we observed that the list 
of univariate polynomials of degree e in y could be viewed as a function from X — ► T e+1 . 
We can also view this list as a function in x and y that is arbitrary in the x direction, but 
always looks like a degree e polynomial in y. Because X has size to, an arbitrary function 
on X can be represented as a degree m polynomial. 4 Thus, we can also view this list as a 
description of a degree (m,e) polynomial in x and y. We will call this polynomial C(x,y). 
We will obtain a degree (d,n) polynomial from the other list, and call that polynomial 
R(x,y). If the bivariate presentation checking algorithm accepts with high probability then 
R(x, y) and C(x, y) agree on most oflxY. 

Let C(x,y) be a polynomial of degree (m,e) and let R(x,y) be a polynomial of degree 
(d, n) such that 

Prob [R{x,y)^C{x,y)]< 1 . 

(x,y)eXxY 

In Theorem 4.2.19, we will show that if 7 is a sufficiently small constant, then there exists 



Actually, it can be represented as a degree m — 1 polynomial. But, we will ignore this fact because it is 
a pain to write "m — 1" everywhere. 
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a polynomial Q(x,y) of degree (d, e) such that 

Vioh [R(x,y)^Q(x, y) or C(x,y)^Q(x, y)] < 2 Prob [R(x, y) ± C(x, y)]. 

(x,y)eXxY (x,y)eXxY 

As in [Sud92], we begin by finding a low-degree "error correcting" polynomial that is 
zero whenever R and C disagree. 

Lemma 4.2.13 Let S C X X Y be a set of size at most 8 2 mn. Then, there exists a non-zero 
polynomial E(x, y) of degree (8m, 8n) such that E(x, y) = for all (x, y) £ S . 

Proof: The set of polynomials of degree (8m, 8n) is a vector space of dimension ( \8m\ + 
l)(|_<*>raj + 1). Consider the map that sends a polynomial to the vector of values that it takes 
for each point in S . That is, let S = {s l7 . . . , s k } and consider the map 

4>:E(x,y)^(E(s 1 ),E(s 2 ),...,E(s k )). 

This map is a homomorphism of a vector space of dimension ( \8m\ + l)(|_<*> ra J + 1) into a 
vector space of dimension at most 8 2 mn, which is smaller. So, there must be a non-zero 
polynomial in the vector space of polynomials of degree (8m, 8n) that evaluates to zero at 
every point in S . ■ 

Let S be the subset of X X Y on which R and C disagree. By Lemma 4.2.13, we can 
choose E(x,y) so that 

R(x, y)E(x,y) = C(x, y)E(x, y) for all (x, y) G X xY. 

Moreover, C(x, y)E(x,y) is a polynomial of degree (m + 8m, e + 8n) and R(x, y)E(x,y) is 
a polynomial of degree (d + 8m, n + 8n). By Proposition 4.2.9, there exists a polynomial 
P(x, y) of degree (d + 8m, e + 8n) such that 

R(x, y)E(x,y) = C(x, y)E(x,y) = P(x, y), for all (x, y) e X xY. (4.1) 

We would like to divide P by E as formal polynomials and conclude the proof. However, 
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the most we can say is that 

P{x,y) 

E{x,y) 



R(x,y) = C(x,y), 



for all (x,y) e X xY such that E(x, y) ^ 0. 

The next two sections will be devoted to showing that if n is sufficiently large, then E 
does in fact divide P. We will begin with one small step: 

Lemma 4.2.14 Let E(x, y), P(x, y), R(x, y) and C(x, y) be polynomials of degrees (8m, 8n), 
(d + 8m, e + 8n), (d, n) and (to, e) respectively such that (4.1) holds. If |X| > 8m + d and 
|y| > 8n + e, then for all y G Y and for all x G X, P(x,y ) = R(x,y )E(x,y ) and 
P(x ,y) = C(x ,y)E(x ,y). 

Proof: For fixed y , P(x,y ) and R(x,y )E(x,y ) are degree d + 8m polynomials that 
have the same value on at least d + 8m + 1 points, so P(x, y ) = R(x, y )E(x, y ) as formal 
polynomials in x. The other case is proved similarly. ■ 

From this point, we know two routes to the proof of Lemma 4.2.12. The route that we 
pursue in the main text (Sections 4.2.2 and 4.2.3) is more elementary. In Section 4.2.4, we 
show how one can replace Section 4.2.2 and Lemma 4.2.18 with an application of Bezout's 
Theorem. This route is more direct, but may be accessible to fewer readers. 

4.2.2 Resultants 

In this section, we will review some standard facts about resultants. A more complete 
presentation can be found in [Lan93, vdW53]. We note that Sudan [Sud92] introduced the 
idea of using the resultant to prove that E divides P. 
Let T be a field and let 

P(x) = P + P x x H \-P r x r , and 

E(x) = E + E x x + ■ ■ ■ + E s x s 

be polynomials in x with coefficients in the field T . 



4.2 
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Proposition 4.2.15 P(x) and E(x) have a non-trivial common factor if and only if there exist 
polynomials A(x) of degree s — 1 and B(x) of degree r — 1 such that P(x)A(x) — E(x)B(x) = 0. 

Proof: If there exist F(x), P(x) and E(x) such that deg_F(a;) > 1, P(x) = F(x)P(x), 
and -E(a;) = F(x)E(x), then we can choose A(x) = E(x) and B(x) = P(x). 

To go the other direction, assume that such A(x) and B(x) exist. Since the degree of 
P(x) is greater than the degree of B(x), P(x) and E(x) must share a common factor. ■ 

We can reformulate this as a system of linear equations in the coefficients of A and B: 



P A 

P 1 A + P A 1 

P 2 A + P x Ai+ PoA 2 



E B 

E 1 B + E B 1 

E 2 B + E 1 B 1 + E B 2 



P r A s _i 



E s B r _i 



If we treat the coefficients of A and B as the variables of a system of linear equations, then 
we find that the above equations have a solution if and only if the matrix M(P, E) has 
determinant zero, where M(P, E) = 



( 



P r P r -\ Pq 











Pr 



...Pi Po 



\ 



... P r ... 

E s E s _i ■ ■ ■ E 



Pi Po 
... 



V 



>s rows 



>r rows 



/ 



: ■■. ■■. 

... E s E s _, ... E 

We now define R(P,E), the resultant of P and E, to be the polynomial in the coefficients 
of P and E obtained by taking the determinant of M(P, E). We obtain: 

Proposition 4.2.16 The polynomials P(x) and E(x) share a common factor if and only if 
R(P,E) = 0. 
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The following fact about the derivative of the determinant of a matrix of polynomials will 
play a crucial role in our proof: Let 



Mix) 



{ Pi,i(x) Pi i2 (x) 

P2,l(x) P2,2(x) 



Pl,k( X )\ 
P2,k(x] 



\Pk,l(x) Pk,2(x) ■■■ Pk,k( X )J 



be a k-by-k matrix of polynomials in x over T and let R(x) be the determinant of M(: 
Proposition 4.2.17 R'(x), the derivative of R(x), can be expressed as 



R'( 



Pi,i( 

P2,l( 



Pl,2( 

P2, 2 ( 



Pl,k( 
P2,k( 



Pk,l(x) Pk,2( X ) ■■■ Pk,k( X ) 



Pl,l(x) Pl,2(x) ... Pl t k(x) 
P2,l(x) P2,2(x) ■■■ P2,k( X ) 

P'k,l( X ) P'kAx) ■■■ P'k,k( X ) 



4.2.3 Presentation checking theorems 

Since the propositions of the previous section concerned univariate polynomials, you may 
be wondering how we are going to apply them to bivariate polynomials. The idea is to treat 
the polynomials P(x,y) and E(x,y) as polynomials in y over J-{x), the field of rational 
functions in x. T{x) is the field comprising terms of the form p(x)/q(x), where p(x) and 
q(x) are polynomials in T . It is easy to verify that this is in fact a field. 

We can now consider P and E as polynomials in y with coefficients in T{x) by writing 

P(x,y) = P (x) + P^y + ■ ■ ■ + P Sn+e ( x )y Sn+e 
E(x,y) = E (x) + E^y + ■ ■ ■ + E Sn (x)y Sn . 



We will show that E divides P as a polynomial in y over the field T{x). By Gauss' Lemma 5 , 
this implies that E divides P over J~[x], the ring of polynomials in x, which means that 
E(x,y) divides P(x,y). 



The usual statement of Gauss' Lemma is that if a polynomial with integer coefficients can be factored 
over the rationals, then it can be factored over the integers. A proof of Gauss' Lemma can be found in most 
undergraduate algebra textbooks. 
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We will begin our proof by dividing E and P by their greatest common divisor. If that 
greatest common divisor is not E, then we obtain two polynomials with no common factor. 
To obtain a contradiction, we will show that these two polynomials have a common factor 
when considered as polynomials in y over T(x). By Gauss' Lemma, this will imply that 
they share a common factor when considered as polynomials in x and y. 

Lemma 4.2.18 Let E(x,y) be a polynomial of degree (am, fin) and let P(x,y) be a polyno- 
mial of degree (am + 8m, fin + era). If there exist distinct Xi, . . . , x m such that E(x{, y) divides 
P(xi,y) for 1 < i < m, distinct yi,...,y n such that E(x,yi) divides P(x,yi) for 1 < i < n 
and if 

l>a + (i + 8 + e, 

then E(x,y) divides P(x,y). 

Proof: Assume, without loss of generality, that fi > a. Let F(x,y) be the largest 
common factor of P(x,y) and E(x,y). Assume by way of contradiction that F ^ E and 
that F(x,y) has degree (a,b). Set 

P(x,y) = P(x,y)F(x,y) and E(x,y) = E(x,y)F(x,y). 

We will now divide P and E by F and apply the lemma to P and E over the rows and 
columns on which F is not identically zero. The conditions of the lemma are satisfied by P 
and E on this domain because F can be identically zero on at most b rows and a columns, 

and 

am — a 8m — a fin — b en — b 

a + fi + 8 + e> + + - - + -. 

m — a m — a n — b n — b 

Thus, we can assume without loss of generality that P(x,y) and E(x,y) have no common 
factors. We will use this assumption to obtain a contradiction. Write 

P(x,y) = P {x) + P^y + ■ ■ ■ + P Pn+m {x)yV+<> 
E(x,y) = E (x) + E^y + ■ ■ ■ + E pn (x)y? n , 
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and form the matrix M(P, E)(; 



I P(p + e)n{x) 



P n (x) 



\ 






•• P(fj + e)n{x) 




.. P (x 


Ef)n{x) 


■■ E (x) 















Ef)n{x) ■ 


. . E (x 



>(]n 



>(l3 + e)n 



R(P, E)(x), the resultant of P and E, is the determinant of M(P, E)(x) and can therefore be 
viewed as a polynomial in x. M(P, E)(x) has fin rows of coefficients of P and (fi-\-e)n rows of 
coefficients of E, so R(P, E)(x) will be a polynomial of degree at most mn(fi(a-\-6)-\-(fi-\-€)a). 
We will show that R(P, E)(x) is in fact the zero polynomial by demonstrating that it has 
more than this many roots. 

For f < i < n, E(xi,y) divides P(xi,y), so we can see that the first fin rows of 
M(P,E)(xi) are dependent on the last (fi + e)n rows of M(P,E)(xi). This implies that 
M(P,E)(xi) is a matrix of rank at most (fi + e)n (actually, the rank is exactly (fi + t)n). 
By Proposition 4.2.f7, the A;-th derivative of R(P, E)(x) at x, is the sum of determinants 
of matrices of rank at most (fi + e)n + k. Since M(P, E)(x) is a matrix of side (2/3 + e)ra, 
R( k )(P^ E)(xi) is zero for k < fin. That is, R(P, E)(x) has a zero of multiplicity fin at each 
of Xi, . . . , x m . Because we assumed that l>a-\-fi-\-6-\-e and fi > a, we find 

m(fin) > mn(fia + jiS + fi 2 + fie) > mn(fia + jiS + afi + ae), 

so R(P,E)(x) must be the zero polynomial. Applying Proposition 4.2. f 6, we see that E 
and P must have a non-trivial common factor when considered as polynomials in y over 
J-'(x), which is a contradiction. ■ 

We can now prove: 



Theorem 4.2.19 [Bivariate Checking] Let T be a field, let X = {xi, . . . , x m } C T, and let 

Y = {yi, . . . , y n } C T . Let i?(s, y) be a polynomial over T of degree (<i, ra) and let C(x, y) be 
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a polynomial over T of degree (to, e). If 



Prob [R(x, y) ^ C(x, y)] < 8 2 and 

(x,y)eXxY 



d e 

1 > 2— + 2- + 28, 
m n 



then there exists a polynomial Q(x,y) of degree (d,e) such that 



Prob [£(£, y) ± Q(x, y) or C(x, y) ± Q(x, y)] < 28 2 , 

(x,y)eXxY 



Piob[C(x ,y) = y Q(x ,y)] > 1 - 2S 2 , and 

x £X 

Piqb[R(x,y )= x Q(x,y )] > 1-2S 2 . 

Vo£Y 



Proof: Let S be the set of points such that R(x,y) ^ C(x,y). By Lemma 4.2.13, there 
exists a polynomial E(x, y) of degree (8m, 8n) such that S is contained in the zero set of E. 
By Lemmas 4.2.14 and 4.2.18, there exists a polynomial Q(x,y) of degree (d,e) such that 

R(x,y)E(x,y) = C{x,y)E(x,y) = Q(x,y)E(x,y), 

for all (x,y) e X xY. 

This implies that in any row on which E(x,y) is non-zero, Q agrees with R on that 
entire row. However, E can be identically zero on at most 8n rows; so, E must be non-zero 
on at least (1 — 8)n rows. Thus, Q must agree with R on at least (1 — 8)n rows. We can 
similarly show that Q must agree with C on at least (1 — 8)m columns. We could stop 
now, content in the knowledge that R and C agree on the intersection of (1 — 8)n rows and 
(1 — 8)m columns; however, we will show that they agree on many more points. 

As before, let S be the set of points at which R(x,y) ^ C(x,y). Let T be the set of 
points at which R(x,y) = C(x,y), but Q(x,y) ^ R(x,y). We will show that \T\ < \S\, 
which will prove the first inequality. Call the rows on which R disagrees with Q bad and 
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define bad columns similarly. Let b r be the number of bad rows and let b c be the number 
of bad columns. Call good any row or column that is not bad. We will say that a row and 
column disagree if R and C take different values at their intersection. We first observe that 
there can be at most e + b r points of T in any bad column: if a column has more than e + b r 
points of T, then it must have at least e + 1 points in good rows at which C agrees with 
R and therefore Q, implying that that column is in fact good. Because we assumed that 
1 > 26 + e/ra, every bad column must have at least n/2 points of S in the intersection of 
that column with the good rows. We can similarly analyze the bad rows to see that each 
must have at least ra/2 points of S in the intersection of that row with the good columns. 
We thereby conclude that \T\ < \S\. (the basic idea is that the points of T must lie in the 
shaded region of Figure 4-2). By examining the two regions in Figure 4-2 that contain the 
points of S , we conclude 

— b r < S 2 nm =>- — < 2S 2 , and — b c < S 2 nm => — < 2S 2 . 
2 n 2 ra 



bad 
cols 



e rows 



dcoh 



bad 
rows 



Figure 4-2: The arrangement of bad rows and columns. 



When we construct holographic proofs, we will need a version of Lemma 4.2.12 that 
applies to trivariate presentations. We will not attempt to optimize this version. 

While the following proof might look a little long, it is actually very simple: we will first 
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apply Theorem 4.2.19 in each (w,x) plane and each (w,y) plane to obtain a collection of 
bivariate polynomials in (w, x) and (w, y) respectively. We will then treat these as univariate 
polynomials in x and y that assume values that are functions in w, and then combine them 
with another application of Theorem 4.2.19. 

Corollary 4.2.20 Let P(w, x, y) , R(w, x, y), and C(w, x, y) be polynomials over a field T of 
degrees (c, 12 d, 12e), (12c,d,12e) and (12c,12d,e) respectively. Let W, X, and Y be subsets 
of T of sizes 12c, 12 d, and 12e respectively. If 

Prob [P(w, x, y) = R(w, x, y) = C(w, x, y)] > 1 



(w, x , y )ewxXxY l v ' ,yj v ' ,yj v ' ,yjl 2916' 

for e < 1, then there exists a polynomial Q(w, x, y) of degree (c, d, e) such that 

Prob [Q(w,x,y) = P(w,x,y) = R(w,x,y) = C(w,x,y)] > 1 — . 

(w,x,y)£WxXxY 9 

Proof: We begin by observing that there exists a set Y' C Y such that \Y'\ > (1 — ^) \Y\ 
and for each y £Y', 

(w,x)ewxx 54 

For each y G Y' , we now apply Theorem 4.2.19 to the polynomials obtained by restricting 
P and R to y to obtain a degree (c, d) polynomial in w and x, which we will call R y ° , such 
that 

FTob[R y °(x ,w) = w P(w,x ,y )] > 1 - -£-. 

x ex 54 

For y g - Y', we let R y ° = 0. We are now going to treat the R yo, s as univariate polynomials 
in x that take on values that are functions of w. We then combine these together to form 
a degree (d, n) polynomial over J-(w) that we will call R Y by defining: 

R Y (x ,y ) = R y °(w,x ). 



We see that 



Prob [R Y (x, y) = w P(w, x, y)]>l- -£-. 

(x,y)eXxY 54 
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We now combine C and P in the same way to obtain a degree (m,e) polynomial over 
J-{w) that we call C x such that 

Prob [C x (x,y)= V) P(w,x,y)]>l-^-. 

(x,y)eXxY 54 

By combining these two inequalities, we find 

, P ^ b J c ' x ( x > y) =» rY ( x > y) =» p ( w ' x > y)]> 1 ~ it- 

(x,y)£XxY 9 



Since 



d e /-v/e 

1 > 2 -4-2 + 2\ ■*—, 

12d 12e V 9 ' 



we can apply Theorem 4.2.19 to the polynomials R Y and C x to obtain a degree (d,e) 
polynomial Q(x,y) that takes values in J-(w) such that 



ixs „,\ _ D y/„ „.\ _ t>( ... „ ».m ^ 1 ^A/e 



Prob [<5(a;,2/) = w C (x,y)= w R (x,y) = w P(w,x,y)]> 1 . 

(>,y)eXxY 9 

It remains to show that Q(x,y) is a degree c polynomial in w as well. To do this, consider 
a value y £ Y such that Q(x,y) agrees with P(w,x,y) for more than d values of x. On 
these values of x, Q(x, y ) is a degree <i polynomial in w. Moreover, for any other value of 
x, the value of Q(x,y ) can be expressed as a linear combination with coefficients in T of 
these polynomials, so Q(x,y ) will be a degree d polynomial in w for all x £ X. We now 
observe by simple counting that there must be more than e values of y for which this is 
true, so we can apply the same reasoning for these values of y , and then in the x direction, 
to see that Q(x, y) is a degree (c, d, e) polynomial in w, x and y. ■ 

This corollary implies that there is a trivariate presentation checking algorithm analo- 
gous to the bivariate presentation checking algorithm. 

4.2.4 Using Bezout's Theorem 

In this Section, we describe a different way of proving Theorem 4.2.19. We use Bezout's 
Theorem which, roughly stated, says: 
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Theorem 4.2.21 [Bezout] Let p(x,y) and q(x,y) be polynomials of degree d and degree e 
respectively. If p and q have more than de zeroes in common (counting zeroes by multiplicity), 
then p and q share a common factor. 

We now pick up our proof where we left off at the end of Section 4.2. f. For simplicity 
of exposition, we will only consider the case in which n = m and d = e. The cases in which 
they are different are proved similarly. 

Proposition 4.2.22 Let E(x, y) and P(x, y) be degree {Sn, Sn) and degree (d + 8n, d + Sn) 
polynomials over a field T such that E(x , y) divides P(x , y) as a polynomial in y for 5(d + Sn) 
distinct values of x . Then, E(x,y) divides P(x,y) as a polynomial in x and y. 

Proof: Let Xi, . . .,x 5 ^+6n) be distinct values such that E(xi,y) divides P(xi,y) as a 
polynomial in y. Assume that E has degree exactly Sn in y (it is to our advantage if 
this is not the case) and assume that E(xi,y) has full degree in y for f < i < hd + ASn. 
Because E(xi,y) divides P(xi,y), E(x,y) and P(x,y) share at least Sn zeroes 6 (counted by 
multiplicities) along the line x = a;,, for each f < i < hd + ASn. Because 

deg(£) • deg(P) < ASn (d + Sn) < Sn (5d + ASn) , 

Bezout 's Theorem implies that P and E share a common factor. If we divide E and P 
by this common factor and again apply the same argument, we eventually discover that E 
divides P as a polynomial in x and y. ■ 

One can essentially replace Section 4.2.2 and Lemma 4.2.18 with an unbalanced version 
of Proposition 4.2.22. The bounds that we thereby obtain in Theorem 4.2.19 are slightly 
weaker, but still sufficient for the purposes of this chapter. 

4.2.5 Sub-presentations and verification 

It is clear that a presentation of a polynomial on a domain V contains presentations of that 
polynomial on subsets of that domain. In this section, we will explain how to deal with 



For simplicity, we ignore the x,'s for which E does not have full degree. However, if we look back at 
Lemma 4.2.14, we see that E and P share zeroes at infinity at these x 8 's. 
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these sub-presentations. We begin with the following simple observation: 

Proposition 4.2.23 Let P be a e-good (d x , d y , (^-presentation over a domain V = X X Y X 
Z, and let V = X' X Y' X Z' be a subset of V such that 

c|X>'| > \V\. 

If we let P' consist of the elements of P that correspond to a presentation over V , then P' is 
ce-good. Moreover, if 

\X\ \Y\ \Z\ 
then the degree (d x ,d y ,d z ) polynomial to which P' is close is the same polynomial which P is 
close to. 

Proof: The first part is obvious. The second follows from Lemma 4.2.5. ■ 

Tri-variate verification algorithm (at (x ,y ,z )) 

Remark: Assume that this algorithm is given a presentation P over X X Y X Z. 

Remark: We will let e be some small constant. 

1. Check that the presentation P is e-good. 

2. Check that the sub-presentation on X X Y X z is e-good using the bivariate 
presentation checking algorithm. 

3. Choose a constant number of points ofIxFxz at random and check that the 
univariate polynomial of P in z that goes through each takes the value assigned to 
that point by the presentation. 

4. Choose a constant number of points of X X y X z and check that the univariate 
polynomial of P in x that goes through each point takes the value assigned to that 
point by the presentation. 

5. Check that the univariate polynomial of P in x that goes through (x , y , z ) agrees 
with the value assigned to that point by P. 

Another type of sub-presentation is one of lower dimension. For example, a trivariate 
presentation P over X xY X Z contains a bivariate presentation over X xY X z , for z £ Z. 
However, the fact that P is e-good tells us little about this sub-presentation. 

To show that the sub-presentation can be certified as good, we will show a stronger 
property of presentations: they have simple verifiers. That is, once we know that a presen- 
tation is e-good for a sufficiently small e, we can check whether any particular segment of 
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the presentation is the same as the segment of the presentation of the polynomial that our 
presentation is close to. 

Lemma 4.2.24 There exists a constant c such that for all e > there exist constants in 
the trivariate verification algorithm such that if P is a (d x , d y , (^)-presentation over a domain 
1x7x2 where 

cd x < |X| , cd y < \Y\ , and cd z < \Z\ , then 

• If the verification algorithm passes Step 1 with probability at least 1/2, then there is a 
polynomial p(x, y, z) of degree (-,-,•) such that P is e-close to a presentation of p(x, y, z). 

• If the verification algorithm passes Steps 1, 2, and 3, with probability at least 1/2, then 
the sub-presentation of P on X X Y X z is e-close to a presentation of p(x, y, z ). 

• If the verification algorithm passes Steps 1 through 4 with probability at least 1/2, then 
the univariate polynomial of P in x through (-,y ,z ) is p(x, y , z ). 

• If the verification algorithm passes Steps 1 through 5 with probability at least 1/2, then 
the value that P assigns to the point (x , y , z ) is p(x , yo, z ). 

Proof: These facts follow from Lemma 4.2.5, Lemma 4.2.12 and Corollary 4.2.20. ■ 

This verification algorithm appears in [Sud.92]. Our contribution is the realization that 
it works over domains whose size is linear in the degree of the presentations. 
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4.3 A simple holographic proof system 

4.3.1 Choosing a key problem 

We will base our holographic proof system on a particular NP-complete problem. We want 
to choose a problem such that 

• the descriptions of instances of problems like 3SAT and circuit satisfiability can be 
easily and efficiently transformed into instances of our problem, and 

• it is particularly easy to create a holographic proof system for our problem. 

So that we can better understand the second objective, let us examine why it might be 
difficult to create a holographic proof system directly for the problem of circuit satisfiability. 
The usual way of describing an instance of circuit satisfiability is to describe a circuit by 
providing, for each gate in the circuit, its function and the names of its inputs. Checking 
whether an assignment satisfies a circuit can be a very irregular process: to compute the 
value of a gate in the circuit, one must first look up the names of the inputs to the gate and 
then their values. These gates could be anywhere in the circuit. When we try to design 
a holographic proof system directly for the circuit satisfiability problem, we find that the 
majority of our proof is devoted to making sure that the values of the gates are being 
shuttled around the proof correctly. The overhead that we thereby incur prevents us from 
finding an efficient holographic proof system for this problem. 

We will design a problem such that when we want to determine whether one of its 
constraints is satisfied, we will know instantly where we should find the values that we need 
to examine. In our problem, one will be able to compute the names of the variables involved 
in a constraint just from the name of the constraint. We thereby eliminate the overhead 
associated with the irregular structure of problems like circuit satisfiability. Moreover, it 
will be easy to reduce problems such as circuit satisfiability to instances of our problem. So 
that we can apply the tools of Section 4.2, we will need to make our problem simple in an 
algebraic sense, but we will discuss this later. 

The problem that we will use will be a coloring problem on a "wrapped de Bruijn 
graph" . An instance of the problem will consist of an assignment of a first color to each 
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node in the graph. A solution of the problem will be an assignment of a second color to 
each node in the graph so that the pairs of colors assigned to each node and its neighbors 
satisfy certain coloring rules. Each coloring rule will restrict the configuration of colors that 
can be assigned to a node and its neighbors. The same rules will apply to every node in the 
graph. We will call an instance of the coloring problem a coloring problem instance and a 
solution of such an instance a coloring problem solution. 

Let us recall the definition of a de Bruijn graph (see Figure 4-3 for an example). 

Definition 4.3.1 The de Bruijn graph B n is a directed graph on 2 n nodes in which each node 
is represented by an ra-digit binary string. The node represented by the string (xi, . . . , x n ) has 
edges pointing to the nodes represented by 

(X2i • • • i x ni x l) ar) d {X21 • • • i x ni\ x l@ ^-))i 

where by a © b we mean the sum of a and b modulo 2. 




Figure 4-3: A de Bruijn graph 



We will define a wrapped de Bruijn graph to be the product of a de Bruijn graph with 
a cycle, where in the product we will put an edge from vertex (x, a) to vertex (y, b) if and 
only if there are edges from x to y and a to b (See Figure 4-4). The size of the cycle needs to 
be some constant times n that is large enough for us to perform certain routing operations 
on the graph. 5ra will suffice. 

Definition 4.3.2 The wrapped de Bruijn graph B n is a directed graph on 5ra • 2 n nodes in 
which each node is represented by a pair consisting of a number modulo 5ra and an ra-digit 
binary string. The node represented by the pair (a, (s l7 . . . , x n )) has edges pointing to the 
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nodes represented by 

(a+ 1,(2:2, • • -,Xn,Xi)) and (a + l,(x 2 ,. ■ .,x n ,(x 1 © 1))), 

where the addition a + 1 is taken modulo 5ra. For a fixed a £ {0, . . . , 5ra — 1}, we will refer to 
the set of nodes whose representation begins with a as a column of the graph (to agree with a 
column in Figure 4-4). 




Figure 4-4: A wrapped de Bruijn graph 
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We use wrapped de Bruijn graphs for two reasons: one can route any permutation 
on such a graph and, as we will see in Section 4.3.2, they have a very simple algebraic 
description. 

Our ability to route permutations on a wrapped de Bruijn graph enables us to "draw" 
a circuit on one. We begin by considering an ordinary drawing of a circuit (Figure 4-5). 
To draw the circuit on a wrapped de Bruijn graph, we will associate one column of the 
wrapped de Bruijn graph with the gates of the circuit (some nodes of the column may not 
be associated with any gate in the circuit). To each type of node that could appear in a 
circuit, we will assign a color; thus, the association of nodes in the circuit with nodes in the 
graph will be accomplished by coloring the nodes in the graph with the correct colors. For 
the convenience of later arguments, we will also create a special "output" node. 



output 




Figure 4-5: A drawing of a circuit 



We now color the remaining nodes of the graph in a manner that describes the connec- 
tions that appear between the gates in the circuit. To each of these remaining nodes, we 
associate a switching action such as one of those depicted in Figure 4-6 (again, by coloring 
a node with a color associated with its switching action). Note that we allow a switch to 
copy an incoming message and send it to both of its outputs (e.g. the switch in the lower 
left-hand corner of Figure 4-6). We view the task of assigning the switching actions that 
connect gates to their inputs as a routing problem in which each node has at most two 
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incoming packets. By using standard packet-routing techniques (see [Lei92]), we see that 
5ra steps through a de Bruijn graph of 2 n nodes are sufficient to solve the routing problem. 
Thus, we can find switching actions for each of the nodes in the wrapped de Bruijn graph 
so that the output of each gate is routed to the inputs of those gates that need it (see 
Figure 4-7). 







Figure 4-6: Some switching actions 

A proof that the circuit is satisfiable should consist of an assignment of O's and l's to 
the inputs and the gates of the circuit that is consistent with a satisfying assignment (See 
Figure 4-9). The translation of this proof into a second coloring of the graph will consist of 
an assignment of O's and l's to the wires entering and leaving the nodes of the graph that 
is consistent with the assignment, the actions of the gates, and the switching actions. Since 
we are only supposed to color nodes of the graph, and not its wires, the proof will actually 
assign each node a four-tuple of symbols that indicate whether the edges attached to the 
node are 0, 1, or blank. (Figure 4-8 contains some valid second colors). We will choose our 
coloring rules so that the only legal colorings of the graph will be those that assign a or 1 
to each input, correctly propagate values along wires, correctly compute the value of every 
gate, and produce a 1 at the output gate. Figure 4-9 contains a picture of a proof that 
the circuit in Figure 4-5 is satisfiable. Figure 4-10 contains depictions of parts of second 
colorings that violate the coloring rules. 

Now, we have fully described what constitutes a graph coloring problem instance and a 
graph coloring problem solution. 
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Figure 4-7: A drawing of the circuit on a wrapped de Bruijn graph. The left and right 
columns of the graph should be identified with one another, but are drawn twice for the 
convenience of the artist. Dark lines correspond to wires in the circuit. 







Figure 4-8: Some legal second colors for the switches in Figure 4-6. 
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Figure 4-10: Some assignments of second colors that violate the coloring rules. 
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Remark 4.3.3 The length of this type of description of a circuit only differs from the length 
of a more conventional description by a constant factor. When one usually describes a circuit 
of m gates, one assigns a name to each gate and, for each gate, lists the operation that the 
gate performs and the names of the gates that are its inputs. This description should have size 
9(m\ogm). Since we describe a circuit of m gates by assigning one of a constant number of 
colors to each node of a graph of size 0{m log to), these descriptions differ in size by at most 
a constant multiplicative factor. 

4.3.2 Algebraically simple graphs 

In this section, we will show that wrapped de Bruijn graphs have a very simple algebraic 
description. Actually, we obtain an algebraic description of graphs that we call extended de 
Bruijn graphs, which are the product of the line graph on 5n + 1 nodes and the de Bruijn 
graph. The identification of the first and last columns is provided by the holographic 
proof. We will use this description to translate our graph coloring problem into an algebraic 
problem to which we can apply the machinery we developed in Section 4.2. We begin by 
defining a graph on the elements of GF(2 n ). 

Definition 4.3.4 A Galois graph G n is a directed graph on 2" nodes in which each node is 
identified with an element of GF(2 n ). Let a be a generator 7 of GF(2 n ). The node represented 
by 7 G GF(2 n ) has edges pointing to the nodes represented by 

aj and aj + 1. 

Lemma 4.3.5 The Galois graph G n is isomorphic to the de Bruijn graph B n . 

Proof: We will begin by recalling a standard representation (the non-technical meaning 
of representation) of GF(2 n ). Let p(a) be an irreducible polynomial of degree n in GF(2)[a] 
(i.e. a polynomial with coefficients in GF(2) that is irreducible over GF(2)). 

GF(2 n ) = GF(2)[a]/p(a). 



A generator is an element such that a =1 and a =£ 1 for any < k < 2" — 1. Every element of 

GF(2 n ) can be represented by a polynomial of degree less than n in a with coefficients in {0, f }. 
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That is, the elements of GF(2 n ) can be represented as polynomials in a of degree at most 
n — 1 with coefficients in GF(2). Addition of these polynomials is performed component- 
wise. To understand how multiplication behaves, let 

p(a) = a" + ^a"' 1 + \- c n _ x a + c n . 

We multiply elements of GF(2 n ) by the standard multiplication algorithm for polynomials 
(remember to add component- wise). If we obtain a polynomial of degree higher than n — 1, 
we apply the relation 

a" = c x a n ~ x + h c n _ x a + c n 

until we obtain a polynomial of degree at most n — 1. 

We will represent the vertices of the de Bruijn graph on 2 n vertices by length n vectors 
of elements of GF(2). 

We define (f>, and isomorphism from vertices of the de Bruijn graph to vertices of G n , by 

<f>(b u b 2 , ...,&„) = «""% + a n ~ 2 (b 2 + dfej + •••+( b n + Y, e-iK-i ) ■ 

To see that this is an isomorphism, observe that in the de Bruijn graph, the edges leaving 
(&!,..., b n ) go to vertices 

(6 2 ,6 3 ,...,6„,6i) and (b 2 , b 3 , . . . , b n , b x ® I); 

whereas in G n , one edge leaving 

a n - x b x + a n ~ 2 (b 2 + d&i) +■■■+ U n + J2 c i b n-i ) 

goes to 



a a"- 1 ^ + a n -' 2 (b 2 + c^) + ■■■+ (b n + J2 c i b 



n — i 
1 
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= &! (^a" -1 H h c n _ 1 a + c„) + a I a n ~ 2 (b 2 + c^) + h I & n + X] c ^«-» J J 

= a n_1 6 2 + a"~ 2 (b 3 + ci& 2 ) • • • + a I 6 n + ^ c 8 -6„_ 8 - J + c n 6 l7 
and the other goes to 

a n ~ x b 2 + a"- 2 (b 3 + Cl b 2 ) • • • + a I 6„ + J2 c «" 6 n-" ) + c « 5 i + *> 
which we can easily verify are 

^(6 2 ,6 3 ,...,6„,6i) and <f>(b 2 ,b 3 , . . .,b n ,bi ® 1). 



In our constructions of holographic proofs, we will actually want to identify the de Bruijn 
graph with a graph over GF(2"/ 2 ) X GF(2"/ 2 ) rather than with a graph over GF(2"). This 
is easily accomplished: 

Proposition 4.3.6 Let n be even and let a be a generator of GF(2 n l 2 ). Then, the graph on 
GF(2 n l 2 ) X GF(2 n l 2 ) in which the node represented by (a, r) has edges to the nodes represented 
by 

(r, aa) and (r, ac+1), 

is isomorphic to the de Bruijn graph B n . 

Proof: By Lemma 4.3.5, we see that this graph is isomorphic to the graph on binary 
strings of length n in which the node (6 l5 . . . , b n / 2 , b n / 2 +i, • • • , b n ) has edges to the nodes 

(b n/2+1 , • • • , b n , b 2 , . . . , b n/2 , 6i) and (b n/2+1 , . . . , b n , b 2 , . . . , b n/2 , b x ® 1). 

We now shuffle the 6,'s to see that this graph is isomorphic to the graph in which node 
(bi, b n /2+i, b 2 , b n/2+ 2, • • • , b n/2 , b n ) has edges to the nodes 

(K/2+1, b 2 , b n / 2 +2, • • • , K/2, K, bi) and (&„/2+i, b 2 , b n / 2+2 , • • • , &n/2, &«, &i © 1)? 
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which is easily seen to be identical to the de Bruijn graph B n . ■ 

We will conclude this section by presenting a simple algebraic description of the extended 
de Bruijn graph. 

Proposition 4.3.7 Let n be even and let a be a generator of T = GF(2 n l 2 ). Let £ = 

{1, a, . . . , a 5 "}, and let £' = {1, a, . . . , a 5n_1 }. Then, the extended de Bruijn graph on (5ra + 
f )2 n vertices is isomorphic to the graph on TxTx£ in which each vertex in (x, y, z) G TxTx£' 
has edges to vertices 

(y,ax,az) and (y, ax + f , az). 

For convenience, we will often denote a triple (x, y, z) by a vector, x. We will then use pi(x) 
and p^ix) to denote the neighbors of x. Formally, p x and p 2 are given by 

p x : (x,y,z) ^ (y,ax,az) 
p 2 :(x,y,z) ^ (y,ax + l,az) 

4.3.3 Arithmetizing the graph coloring problem 

In this section, we will use the algebraic description of the extended de Bruijn graphs given 
by Proposition 4.3.7 to construct an algebraic version of our graph coloring problem. For 
the purposes of this construction, we will define J 7 , £, and £' as we did in Proposition 4.3.7. 
Since we have identified the nodes of our graph with T X T X £, we will view a coloring 
of the graph as a function over this domain. To this end, we will choose a set C C T to 
represent the set of allowable colors. Thus, a coloring problem instance can be viewed as a 
function 

T:TxTx£-fC. 

So that it will jibe better with the machinery that we have developed, we will actually view 
the coloring problem instance as a degree {\T\ , \T\ , |£|) polynomial over T . We will similarly 
view the coloring problem solution, P(x, y, z), as a degree (|.F| , \F\ , |£|) polynomial. When 
we speak of a presentation of a coloring problem solution, we mean a presentation of this 
polynomial. 
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The local graph coloring rules will be described by a constant degree polynomial that 
takes a constant number of variables. Let x£j 7 xJ 7 xE'be& vertex of the graph. Assuming 
that T(x), T(pi(x)), T(p 2 (x)), P(x), P(pi(x)), and P(p 2 (x)) are all in C, we can form a 
constant degree polynomial x which has the property that 

x(T(x),T(p 1 (x)),T(p 2 (x)),P(x),P( Pl (x)),P(p 2 (x))) = 

if and only if the colors assigned by T and P to x, pi(x), and p 2 (x) satisfy all the local 
coloring rules. The reason that we can assume that x nas constant degree is that its value 
is constrained only at the points of C 6 , which is a finite set. Since the coloring rules are the 
same throughout the graph, x does not depend on x. 

In order to check that the polynomials T and P actually do map each node of the graph 
to an element of C, rather than an arbitrary element of J 7 , we will form a constant degree 
univariate polynomial V'(t) which will be zero if and only if 7 £ C. 8 Before we check that 
the coloring rules described by x are satisfied, we will first check that ip(P(x)) and ip(T(x)) 
evaluate to zero for each x £ T X T X E. 

To check that the colors assigned to the last column of the extended de Bruijn graph 
are the same as the colors assigned to the first column, we need merely check that for all 

T(x,y,l)-T(x,y,a 5n ) = and P(x, y, 1) - P(x, y, a 5n ) = 0. 

We can now re-state the graph coloring problem as a problem concerning the existence 
of certain polynomials: Given a degree (|.F| , \F\ , |£|) polynomial T over J 7 , we say that 
another degree (\J-\ , \T\ , |£|) polynomial P solves T if 

(1) i>{P{x)) = and i>{T{x)) = 0, Vx e J 7 X J 7 X E 

(2) X (T(x),T( Pl (x)),T(p 2 (x)), P(x), P(Mx)), P(p 2 (x))) = 0, Vx e J 7 X J 7 X E> 

(3) T{x,y, 1)-T(x,y,a 5n ) = and P{x, y, 1) - P{x, y, a 5n ) = 0, V(>, y) £ T X T 



We can choose ^(7) = ri cFC (7 — c ) 
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We can view the polynomial T as a coloring problem instance and the polynomial P 
as a coloring problem solution. We won't verify that all these conditions are satisfied by 
examining the values of T and P at each point of T X T X E individually. Instead, we will 
provide presentations of the polynomials T(x, y, z) and P(x, y, z), as well as some additional 
information, so that the proof checker will only need to examine only a constant number of 
segments of each presentation. The details of this process are explained in the next section. 

4.3.4 A Holographic Proof 

We will want to provide presentations of P(x, y, z) and T(x, y, z) that are verifiable (see Sec- 
tion 4.2.5). To do this, we will choose domains 7i and J that contain T and E respectively, 
and insist that P and T be presented over 7i X 7i X J . The conditions of Lemma 4.2.24 
require that 7i and J have sizes that are larger than T and E by a constant factor. Other 
constraints on our choice of 7i and J will appear later in this section. For now, let us fix a 
field Q that contains the field J 7 , and insist that 7i and J be subsets of Q . Note that it is 
possible to find such a field Q whose size is the square of the size of J 7 . 9 We now describe 
what the proof checker should do to verify that P solves T, and what needs to be provided 
with P to enable to proof checker to do so. To anthropomorphize the situation, we imagine 
that a proof provider wants to supply the proof checker with enough information to check 
that P solves T. 

The techniques that we use in this section are derived from [Sud92]. 

Remark 4.3.8 Various unspecified constants will appear in this discussion. It should be clear 
that sufficiently extreme choices for these constants will suffice to prove the lemma that con- 
cludes the section. 

STEP 1: When provided with presentations of T and P, the proof checker should check 
that these presentations are e-good, for some small constant e. 

Remark 4.3.9 Every time the proof checker is provided with a presentation by the proof 
provider, it will check that the presentation is e-good for some very small e. If the presentation 



It is an elementary result from the theory of finite fields that GF(2 n ' ) is a subfield of GF(2 r ' 
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passes this test, then the proof checker will thereafter assume that the presentation actually 
does represent some polynomial and that, whenever it queries a segment of the presentation, it 
receives a segment of the presentation of that polynomial. We will choose e to be sufficiently 
small so that if the proof checker were mistaken in this assumption, this mistake would have 
been detected with high probability during the checking. 

We will now describe how the proof checker should verify that P and T satisfy condi- 
tion (1). 

Remark 4.3.10 Actually, the proof checker can only become confident that the polynomials 
to which the presentations of P and T are close satisfy relation (1). It cannot know anything 
about any particular piece of these presentations that it does not read. This is an important 
thought to keep in mind as one reads this section. 

The proof checker will insist that the proof provider provide a presentation of the poly- 
nomials ip(P(x,y,z)) and ip(T(x,y,z)) on the domain 7i X 7i X J . We will choose 7i and 
J sufficiently large so that these presentations are checkable and verifiable. Since ip is a 
constant degree polynomial, the degrees of ip(P(x,y,z)) and ip(T(x,y,z)) will be only be 
larger than the degrees of P(x, y, z) and T(x, y, z) by a constant factor. Because the proof 
checker cannot be sure that the presentations that it is given actually do represent ip(P) 
and tp(T), we will refer to the presentations that the proof provider provides as ip(P) and 

STEP 2: The proof checker should check that the presentations ip(T) and ip(P) e-good, 
for some small constant e. 

Now that the proof checker has checked that the presentations of P, T, ip(P), and 
ip(T) are good, it will assume that they are close to presentations of polynomials of the 
appropriate degrees, and it will want to check that these polynomials actually are ip(P) and 
ip(T). It will do this by choosing random points x, and verifying that ip(P(x)) = ip(P)(x). 
It will then do the same for T. 

STEP 3: The proof checker should choose a constant number of points {Si, . . ., x c } C 
7i X 7i X J . For each point £,, the proof checker should read T(xi) and P(a;,), compute 
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ip(T(xi)) and ?/>(P(if,)), and then check that these values agree with ip(P)(xi) and ip(T)(xi). 

From Lemma 4.2.5, we know that if ip(P) and ip(T) were presentations of polynomials 
other than ip(P) and tp(T), then they would fail Step 3 with high probability. Thus, once the 
presentations have passed Step 3, the proof checker will be safe in assuming that whenever 
it reads a segment from ip(P) or ip(T), it actually reads a segment of the presentation of 
i/)(P) of i/)(T). 

We will now describe how the proof provider will convince the proof checker that 
ip(P(x)) = for all x £ T X T X E. The proof for ip(T) will be similar, so we will just 
discuss the proof for ip(P). 

The proof provider will provide presentations of polynomials that we will call $', $", 
and $'", where these polynomials are defined to be: 



2 



72 



8 = 1 
2 r/2 

i=i 
y'"(x,y,z) = f>"(*,y,ay, 



( = 



where {/ l7 . . . , / 2 »/ 2 } are the elements of T. The purpose of these polynomials is best 
understood by observing that 

*'"(x, y, z) = J2 E E ^( p (/» /,■,«')>*'" V'- 1 ^- 

8 = 1 j = l ( = 

The polynomial $'" is the zero polynomial if and only if ip(P) is zero on all of T X T X E. 
Moreover, we can efficiently check that each of $', $", and $'" are formed correctly and 
that $'" is the zero polynomial. We will call $', $", and $'" the presentations that the 
proof provider provides which it claims are presentations of $', $", and $'". 

STEP 4: The proof checker should check that the presentations $', $", and $'" are e- 
good, for some small constant e. The proof checker should do the same for the analogous 
polynomials corresponding to tp(T). 
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STEP 5: The proof checker should choose a constant number of random points 

{(yi,zi),...,(y e ,z e )} eHx J. 

For each point (y,,,?,), the proof checker should check that the univariate polynomial in x 
through (yi,Zi) in the presentation of $' and the corresponding polynomial in the presen- 
tation of ip(P) have the relation indicated by (*). The proof checker should then perform 
the analogous operations to verify that $" and $'" have been properly formed. 

The proof checker can efficiently verify that the two univariate polynomials through 
(yi,Zi) have the relation indicated in (*) by performing a Finite Fourier transform. This 
test is sufficient to convince the proof checker that $' has been correctly formed because, 
after Step 4, the proof checker is confident that the presentation that purports to be $' is 
a presentation of the appropriate degree and Lemma 4.2.5 implies that the test in Step 5 
would fail with high probability if $' were not the correct polynomial. The proof checker is 
similarly convinced that $" and $'" are presentations of the polynomials $" and $'" and 
that they satisfy the desired relations with ip(P). 

STEP 6: The proof checker should choose a constant number of points 

{x i ^ ... ^ x c j G J~ X / X c- , 

and verify that $"'(;?,) = 0, for each i. 

After performing Step 6, the proof checker will be confident that $'" = (this is another 
application of Lemma 4.2.5). If the proof has passed all these steps, then the proof checker 
can be confident that the presentations of P and T satisfy condition (1). 

We will now explain how the proof checker will verify that P and T satisfy condition (2). 
This procedure will be very similar to the procedure for condition (1), so we will only 
describe in detail those places in which it differs. 

The proof checker will need access to presentations of T(pi(x)), Tip^ix)), P(pi(x)), 
and P(p 2 (x)). We will choose 7i and J so that these presentations are contained as sub- 
presentations of the presentations of T and P. Let I be a set so that J C I, 1 = 1+1, 
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and X is some constant times larger than T . We will let 7i = X U aX. We similarly choose 
/C to be a set which contains E and which is larger by a constant factor. We then set 
J = /C U atC. We now observe that the presentations of T and P on TC X TC X J contain 
sub-presentations oiT(x), T(pi(x)), T(p 2 (x)), P(x) P(pi(x)), and P(p 2 (x)) on X X X X IC. 
Proposition 4.2.23 tells us that once we have verified that the presentations of P and T over 
7i xTi X J are e-good, we know that these sub-presentations over IxIxK are 8e-good. 
Since it verified that the presentations of P and T were good in Step 1, the proof checker 
will assume that these other presentations are good as well, and that whenever it queries 
one of these presentations at a point, it receives the value of the polynomial to which the 
presentation is close. 

The proof provider should provide a presentation of 

X (T(x),T( Pl (x)),T(p 2 (x)), P(f), P( Pl (x)), P(p 2 (x))) 

on X X X X IC. We will call this presentation \. 

STEP 7: The proof checker should check that the presentation of x 1S e-good for some 
small e. This is analogous to Step 2. 

Since x, p x and p 2 are constant degree polynomials, the domains I and /C only need to 
be larger than T and E by a constant multiplicative factor in order to make this step work. 

Now that the proof checker knows that x i s close to the presentation of some polynomial, 
it needs to verify that this polynomial has been built correctly from the presentations of T 
and P. 

STEP 8: This step is analogous to Step 3. The proof checker should choose a constant 
number of points {xi, . . . , x c } C TxXxK,. For each point if,, the proof checker should read 
T(xi), T(pi(xi)), T(p 2 (xi)), P(xi) P(pi(xi)), and P(p 2 (xi)), and and then check that 

X(xi) = X (T(x i ),T(p 1 (x i )),T(p 2 (x i )), P(xi), P(p 1 (x i )), P(p 2 (f 8 -))) 

for each i. 

From Lemma 4.2.5, we know that if x is n °t close to the correct polynomial, then this 
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step will fail with high probability. Thus, once the presentation has passed Step 8, the 
proof checker will be safe in assuming that whenever it reads a segment from x, it actually 
receives a segment of the presentation of \- 

Now, the proof checker must check that \ 1S zero over T X T X £' . This is done in 
exactly the same was it was done for ip. 

STEPS 9, 10, and 11: Analogous to Steps 4, 5, and 6. 

It only remains to check that condition (3) is satisfied. We will only explain how the 
proof checker does this for P as the procedure for T is identical. 

STEPS 12: Check that the sub-presentations of P on H X U X 1 and H X U X a 5n are 
e-good for some small e. Check these on the same points and make sure that they agree on 
these points. 

STEPS 13: Check that the bivariate polynomials which the presentations of P on TCxTCx 1 
and 7i X 7i X a 5n are close to are the restrictions of the trivariate polynomial to which the 
presentation of P is close using Step 3 of the trivariate verification algorithm. 

Note that if the proof checker does not perform Step 13, then it would be possible for 
the sub-presentations on 7i X 7i X 1 and 7i X 7i X a 5n to be identical but have nothing to 
do with the rest of the presentation of P. 

We have now completed our description of our first holographic proof. Observe that the 
proof consists only of a constant number of presentations of polynomials on domains larger 
than T X T X E by a constant factor. We have proved: 

Lemma 4.3.11 There exists a probabilistic algorithm V that expects as input a presentation 
of a coloring problem instance, a presentation of a coloring problem solution, and a constant 
number of additional presentations such that: 

• we refer to the the presentation of the coloring problem solution and the additional pre- 
sentations as a holographic proof; 

• the total size of the presentations in the holographic proof is at most ralog^ ' n, where n 
is size of the coloring problem instance; 
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• V only reads a constant number of segments, each of size at most y^log^ ' n, from 
each presentation; 

• if the coloring problem instance is solvable, then there is a holographic proof that will 
cause V to accept with probability 1; 

• if V accepts with probability greater than 1/2, then the inputs of V are close to a pre- 
sentation of a coloring problem instance and a proof that that instance is solvable. 

In the next section, we will see how to recursively apply this proof system to itself. 
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4.4 Recursion 

In this section, we will see how to recursively apply the holographic proofs constructed in 
Section 4.3. 

We begin by examining the operations that are performed by the checker of the holo- 
graphic proofs constructed in Section 4.3.4 (i.e. the operations in Steps 1-13). We observe 
that only four types of operations are performed by the checker: 

• checking whether a given polynomial is zero at a certain point, 

• checking whether a given polynomial assumes a given value at a certain point, 

• checking whether some constant degree polynomial evaluated at a given point takes 
a given value, and 

• in Step 5, checking whether a given polynomial assumes a given set of values at a set 
of points, where the size of that set is smaller than the degree of the polynomial. 

All of these operations can be performed by circuits of size ralog^ ' n. The main idea 
behind our recursion will be to provide holographic proofs that each of these operations can 
be performed correctly so that the checker doesn't actually have to perform the operations. 
Thus, instead of reading a constant number of segments of size roughly 0(y/n) to check a 
holographic proof, the checker will be able to read a constant number of segments of size 
0{^/n) for each of the original segments. After k levels of recursion the checker will read 
2°( k ) segments of size roughly 0{ 2 \/n). We can then cap this recursion with Theorem 4.0.1 
to obtain holographic proofs of size 0{n 1+e ) checkable by a constant number of queries, for 
any e > 0. 

The two main tools that we will use to implement this idea are "encoded inputs" and 
the Fast Fourier Transform. 

4.4.1 Encoded inputs 

When Babai, Fortnow, Levin, and Szegedy [BFLS91] introduced transparent proofs, they 
presented the theorem candidate in an error-correcting code so that the proof checker would 



126 Holographic Proofs 



only have to read a constant number its bits. This idea was vital to the recursions in the work 
of Arora and Safra [AS92b] and Arora, Lund, Motwani, Sudan, and Szegedy [ALM+92], and 
we will make use of it as well. 

In Section 4.3, we saw how to create a holographic proof that a circuit has a satisfying 
assignment. A weakness of this construction is that the satisfying assignment appears 
within the holographic proof. For our recursion, we will want to construct many holographic 
proofs concerning one piece of data. Thus, we will need some way of checking that part of 
a satisfying assignment in a holographic proof is the same as a piece of external data. We 
want to do this without reading more than a constant number of bits of the external data. 



Theorem: 

C is satisfiable. 



Holographic proof that 
C is satisfied by 
E(p(x)) and E(v) 



check proof 



Proof-checker 




check that satisfying assignment in proof 
actually is this assignment. 



E(p(x)) 



Figure 4-11: The proof checker needs to be sure that the proof shows that C" is satisfied 
by E(p(x)) and E(v), which are written elsewhere. 

For example, we might want to provide a holographic proof that a polynomial p(x) takes 
the value v at x , but we don't want to force the proof checker to read the entire description 
of p(x) or v. To do this, we first choose an asymptotically good error-correcting code, which 
we will call E for the rest of the chapter. 10 Instead of writing the description of p(x) and 
v in the normal way, we insist that they be presented as E(p(x)) and E(v). Now, consider 
a circuit C that takes a polynomial and a value as input and accepts if that polynomial 
has that value when evaluated at x . We modify C to produce a circuit C" that expects its 



Actually, it is unnecessary that E have constant rate, but we may as well assume that it does. 
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inputs to be encoded in the code E. G" will accept if and only if its inputs are codewords 
of E that encode a polynomial and a value that would cause C to accept. Our checker will 
ask for a holographic proof that C" accepts on inputs E(p(x)) and E(v). When the checker 
checks that the holographic proof is correct, it becomes convinced that there is a satisfying 
assignment of C", but it has not yet learned anything about that assignment. To become 
convinced that the satisfying assignment in the holographic proof actually is the same as 
its external data (which it presumes to be E(p(x)) and E(v)), the checker will read a few 
randomly chosen bits of its external data and check that these agree with the corresponding 
inputs represented in the holographic proof (see Figure 4-11). The checker can check the 
values of inputs represented in the holographic proof because the presentations in the proof 
are verifiable (as discussed in Section 4.1); so, the checker can verify the value of any gate 
in the circuit represented in the holographic proof. 

If we choose E to be a code with constant relative minimum distance then, after success- 
fully comparing a constant number of bits, the checker will be convinced that the external 
data is close to a unique codeword of E and that that codeword is the same as the one 
in the satisfying assignment in the holographic proof. This is because, after checking the 
holographic proof, the checker is confident that its satisfying assignment contains codewords 
of E, and all codewords of E are far apart so a piece of external data can agree with high 
probability with only one codeword of E. If we choose £ to be a code in which it is easy to 
verify whether or not a word is in the code, then the circuit C" will have almost the same 
size as the circuit C . The codes that we constructed in Chapters 2 and 3 can be decoded 
in linear time, so these are well-suited to our purposes. If we use one of these codes, then 
the size of C" will exceed the size of C by at most a constant times the size of its inputs. 
We assume that E is one of these codes in the rest of this chapter. 

4.4.2 Using the Fast Fourier Transform 

One's first inclination for how to recursively apply our construction of holographic proofs — 
encode every segment of every object in an error-correcting code and provide holographic 
proofs for each operation that the checker needs to perform — creates proofs that are a little 
too big. Consider what happens if we try this for the bivariate code that we presented in 
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Section 4.2. There are 9 (\/n) univariate polynomials of degree 9 (\/n) in a presentation 
containing 9 (n) bits of data. The checker might want to evaluate any of these polynomials 
at any of 9 (\/n) points. The holographic proof that a polynomial of degree 9 (\/n) takes 
a certain value at a certain point will have size at least 9(^/n). If we were to provide a 
separate proof for each of the 9 (y/n) polynomials at each of 9 (y/n) points, then these proofs 
would have total size at least 9 (n 3 / 2 ). 

To prevent this explosion, we will combine many of these proofs into one. For each 
polynomial, we will create just one proof that provides its values when it is evaluated at all 
of the points we are concerned with. We replace each presentation of a degree (d x ,d y ,d z ) 
polynomial p over a domain X xY X Z with (see Figure 4-12) 

• for each point in the domain, an encoding of the value of p at that point, 

• for each univariate polynomial in the presentation, and encoding of the description of 
that polynomial, and 

• for each univariate polynomial in the presentation, a holographic proof that presents 
its value for each point it intersects in the domain; this proof should be verifiable so 
that it can be used as a proof that any one of the encoded polynomials takes one 
of the encoded values at a point. The proof checker will need to provide a coloring 
problem instance that describes this relation. 

For each of the four types of operations that the checker needs to perform (listed at the 
beginning of Section 4.4) we present a holographic proof that this operation has been per- 
formed correctly. 

Aho, Hopcroft and Ullman [AHU74, Chapter 8.5] show that a polynomial can be ef- 
ficiently evaluated at any reasonable set of points in a field using a few discrete fourier 
transforms. Using the efficient implementation of the discrete fourier transform over a fi- 
nite field presented by Preparata and Sarwate [PS77], the univariate polynomials can be 
evaluated at each point in their domain by circuits of size ralog^ ' n. Thus, if we use 
Lemma 4.3.11 to construct the holographic proofs, the total size of these objects is larger 
than the size of the presentation by at most a poly-logarithmic factor. Similarly, if we use 
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Figure 4-12: A presentation is replaced for recursion. 
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Theorem 4.0.1 to construct the holographic proofs, then the total size of these objects is at 
most a polynomial in the size of the presentation. 

We can now prove the first variation of our main holographic proof theorem. 

Theorem 4.4.1 [Efficient holographic proofs, variation 1] For all polynomial-time constructible 
functions q(n) = O(loglogn), there exists a polynomial time algorithm V (called a proof 
checker) that expects as input an encoding of a coloring problem instance T and a holographic 
proof II such that 

. \n\ = \T\ 1+2 *~ q(n \iog\T\)^»- 

• V reads only 2°^ n » bits of T and II; 

• if the coloring problem instance T is solvable, then there is a holographic proof II that 
will cause V to accept with probability 1; moreover, II can be computed from a coloring 
problem solution of T in time |II| log^ ' |II|; 

• if V accepts (T, II) with probability greater than 1/2, then T is close to an encoding of 
a coloring problem instance and II contains a presentation that is close to a solution of 
that instance. 

Proof: We first apply Lemma 4.3.11 to itself q(n) times. To perform the recursion, we 
replace each presentation by encodings of its objects and a constant number of additional 
presentations as described in Sections 4.4.1 and 4.4.2. Note that the checker must provide 
presentations of coloring problem instances that say that the operations in the recursion are 
being performed correctly, while the proof must contain presentations of coloring problem 
solutions. These presentations are verifiable so that the checker can make sure that they 
actually refer to the encoded objects. 

At this point, we have a proof II that has size \T\ (log \T\) c ^ q ^ n ' , ' , which can be checked by 
examining 2°^™^ of its segments, each of which has size at most \T\ (log \T\) c ^ q ^ n ^ . We 

now cap the recursion by applying Theorem 4.0.1 to construct the last set of holographic 
proofs. This will result in a polynomial blow-up in the size of each presentation. ■ 
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4.5 Efficient proof checkers 

In this section, we explain how to make the checkers of the proofs presented in section 4.4 
run in poly-logarithmic time. We begin by examining the computations performed by the 
checker of Theorem 4.4.1. Most of the checker's computation is devoted to constructing 
the coloring problem instances that are needed in the recursion. Fortunately, these coloring 
problem instances do not depend on the actual coloring problem being proved solvable. 
They are only statements like "there is a polynomial of degree d that evaluates to some 
value at x . v Thus, all of these presentations of coloring problem instances can be computed 
once and used in all proof checking to be done thereafter. Assuming that the proof checker 
has access to these presentations, it need only do poly-logarithmic work: the rest of its 
operations are choosing which parts of the proof to look at and checking proofs constructed 
by Theorem 4.0.1. Thus, we have proved the second variation of our holographic proof 
theorem: 

Theorem 4.5.1 [Efficient holographic proofs, variation 2] For all polynomial-time constructible 
functions q(n) = O(loglogra), there exists a table A and a probabilistic algorithm V (called 
a proof checker) that expects as input an encoding of a coloring problem instance T and a 
holographic proof II such that 

. \ii\ = \T\ 1+2 ^ q(n)) (iog\T\)^^; 

• V reads only 2°^ n » bits of T, II, and A; 

• if the coloring problem instance T is solvable, then there is a holographic proof II that 
will cause V to accept with probability 1; moreover, II can be computed from a coloring 
problem solution of T in time |IT| log^ ' |IT|; 

• if V accepts (T, II) with probability greater than 1/2, then T is close to an encoding of 
a coloring problem instance and II contains a presentation that is close to a solution of 
that instance; 

• V runs in time log^ ' \T\. 
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For all practical purposes, our checker now runs in poly-logarithmic time. The table of 
encodings of coloring problem instances can be written once and accessed forever. However, 
the need for this table can be eliminated if we use a coloring problem developed in [BFLS91]. 

4.6 The coloring problem of Babai, Fortnow, Levin, and Szegedy 

Babai, Fortnow, Levin, and Szegedy set out to provide holographic versions of any proof of 
any mathematical statement. To achieve this end, they rely on the Kolomorgorov-Uspenskii 
thesis which implies that any proof can be efficiently expressed by a computation of a certain 
type of non-deterministic pointer machine [KU58]. They then observe that the computations 
of these pointer machines can be efficiently witnessed by restricted computations on a RAM. 
They translate these RAM computations into a coloring problem on a graph that is similar 
to the coloring problem we used in Section 4.3.I. 11 The advantage of the coloring problem 
in [BFLS91] is that the problem instance does not need to be as large as the problem 
solution. 

In the coloring problem of [BFLS91], each node receives only one color. The problem 
instance is described by a coloring of an initial set of the nodes in the graph. The problem 
instance is solvable if there exists a coloring of the rest of the nodes in the graph that 
satisfies all the coloring rules. The type of problem instance that they have in mind is an 
encoding, by a good error-correcting code, of a proposed theorem. They demonstrate the 
existance of a set of local coloring rules such that it will be possible to complete the coloring 
of the graph in agreement with the rules only if the problem instance decodes to a statement 
of a provable theorem. Moreover, given a proof of the theorem, one can easily construct a 
coloring of the rest of the graph that satisfies the coloring rules. Actually, the techniques 
developed in [BFLS91] are even more general — they show that for any non-deterministic 
RAM algorithm, there is a finite set of coloring rules under which the rest of the nodes of 
the graph can be legally colored only if there is a computation of the algorithm that accepts 
on the input indicated by the initial coloring. The application to checking proofs is a special 
case in which the RAM algorithm checks proofs. 



Our coloring problem was inspired by theirs. It is weaker, but we hope it is easier to understand. 
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The graphs on which their coloring problem is defined are very similar to the graphs 
we used in Section 4.3.1: we can assume that their graphs are finite products of families of 
de Bruijn graphs and line graphs. Their coloring rules can be assumed to be the natural 
generalizations of coloring rules such as conditions (1), (2), and (3) of Section 4.3.1. Thus, 
instances of their graph coloring problem can be checked using algebraic techniques similar 
to those used in Sections 4.2, and 4.3.1. 

The advantage of using the coloring problem of [BFLS91] in our recursion is that it 
eliminates the need for the checker to write coloring problem instances to check the recur- 
sion. For each type of relation that the checker needs to check, there is one uniform RAM 
algorithm that can perform the check. Thus, the checker need merely know the finite set 
of coloring rules associated with checking the computations associated with each of these 
algorithms, and verify that they are satisfied. 

Thus, by combining the algebraic machinery developed in Section 4.2 and the recursion 
developed in Section 4.4 with the coloring problem of [BFLS91], we can prove the final 
variation of our holographic proof theorem: 

Theorem 4.6.1 [Efficient holographic proofs, variation 3] For all polynomial-time constructible 
functions q(n) = O(loglogra), there exists a probabilistic algorithm V (called a proof checker) 
that expects as input an encoding of a theorem T, which we call a theorem candidate, and and 
a holographic proof II such that 

• if T encodes a theorem that has a proof P, then there is a holographic proof II that 
will cause V to accept with probability 1; moreover, II can be computed from P in time 

iniiog^ini; 
. |n| = | jP |i+^- 9M) (logi^D^c-)); 

• V reads only 2°^ n » bits of T and II; 

• if V accepts (T, II) with probability greater than 1/2, then T is close to a unique encoding 
of a true theorem and II constitutes a proof of that theorem; 

• V runs in time log^ ' \H\. 
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For convenience, we state the following corollary: 

Corollary 4.6.2 For all e > 0, there exists a probabilistic polynomial-time turing machine V 
that accepts two inputs, a theorem candidate T and a witness II. V reads only a constant 
number of bits of its input II and uses only 0(log|II|) random bits. If there is a proof P of 
T that can be verified by a pointer machine or a RAM in time t, then there is an input II of 
size at most 0(\t\ j that will cause V to accept with probability 1. Conversely, if there is 
an assignment of II that causes V to accept with probability greater than 1/2, then C has a 
satisfying assignment. 
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Connections 



In this chapter, we will explore some connections between holographic proofs and expander 
codes. First, we wish to point out that current constructions of holographic proofs lead to 
codes that have checkers that read only a constant number of bits of their input: Let C be 
a circuit that is satisfied by every input, and consider the code consisting of the holographic 
proofs that C is satisfied. If these proofs can be checked by examining a constant number 
of their bits (as those constructed in Theorem 4.0.1 and Theorem 4.6.1 can be), and if 
the proofs corresponding to different satisfying assignments have constant relative distance 
from each other, then the checker of these proofs is a checker in the sense of Definition 4.1.1. 
This code has a large number of words — one for each satisfying assignment — but it is still 
highly redundant (even those constructed in Section 4.4 have too much redundancy from 
the perspective of a coding theorist). For this chapter, we will define a checkable code to 
be a code of constant relative minimum distance and at most polynomial redundancy that 
has a checker that reads only a constant number of its inputs. All known constructions of 
checkable codes go through the "PCP-Theorem" (Theorem 4.0.1). 

If we examine a construction of a checkable code carefully, we see that the probability 
that its checker rejects a word is roughly proportional to the distance of that word from 
the nearest codeword 1 . This rough proportionality is necessary. If a checker examines only 



Moreover, the checkable codes that are used in the proof of Theorem 4.0.1 all have this property. 
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k bits of its input, and if it accepts all codewords, then the probability that it will reject a 
word of relative distance e from a codeword is at most ek. Moreover, we know that there is 
some constant S such that if a word has relative distance at least S from every codeword, 
then the checker must reject that word with probability at least 1/2. Since the checker only 
examines k bits of its input, the probability that it rejects a word must change gradually 
over the space of words. 

Expander codes almost have a checker with this property. Consider the following at- 
tempt at checking an expander code: choose a few constraints uniformly at random and 
accept the input word if it satisfies all of them. In the proof of Theorem 2.3.1, we proved 
that there is a constant S such that if a word is within distance S of a codeword, then 
the probability that this algorithm rejects the word is roughly proportional to its distance 
from the codeword. However, expander codes are not necessarily checkable. An expander 
code can have words that are far from any codeword but which satisfy all but one of its 
constraints. 

Consider again the random construction of expander codes in Section 2.3. It is very 
likely that some constraint will be independent of the others. That means that there are 
words that satisfy all constraints but this one. Moreover, such a word cannot be close to 
any codeword, because there can be no word with just one unsatisfied constraint that is 
close to a codeword. A similar argument shows that if there are two constraints that are 
not dependent on the others, then there will be words that satisfy all constraints but these 
two. Thus, if we are going to construct expander codes that are checkable by the means 
we suggested in this section, then there must be a high level of redundancy among the 
constraints imposed on the code. 

It is interesting to point out that the checkable codes derived from holographic proofs 
can be decoded by the algorithms used to decode expander codes. Let S be a set of bits 
that a proof checker might examine. We can form a constraint on the bits in S by saying 
that the constraint is satisfied by a setting of the bits in S only if the proof checker would 
accept those bits. The constraints formed by examining all such sets are analogous to the 
constraints imposed on the expander codes. Moreover, current constructions of holographic 
proofs induce codes that can be decoded by simple variations of the sequential and parallel 
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expander code decoding algorithms presented in Section 2.3 (these algorithms need to be 
altered slightly to deal with constraints that are not linear, but the general idea of flipping 
bits that are in more unsatisfied than satisfied constraints still works). 

5.1 Are checkable codes necessary for holographic proofs? 

It is conceivable that one could construct holographic proof systems that do not result in 
checkable codes. Consider the statement of Corollary 4.0.2. This statement is sufficient for 
most of the results derived from Theorem 4.0.1. Moreover, Corollary 4.0.2 does not say that 
there must be one holographic proof II for each satisfying assignment of C or that these 
holographic proofs must be far apart. Thus, it is not clear that Corollary 4.0.2 leads to a 
construction of checkable codes. 

Arora [Aro94] takes a big step towards showing that statements such as Corollary 4.0.2 
actually do imply the existence of checkable codes. He essentially shows that if one is given 
a holographic proof system in which one can compute in polynomial time a satisfying as- 
signment of a circuit from any holographic proof that the circuit is satisfied, then, assuming 
that collision-intractable hash functions exist, the set of holographic proofs that a circuit 
is satisfiable is a code with constant relative minimum distance. All holographic proof sys- 
tems constructed so far have this property, and it is difficult to imagine one which does not. 
Arora then shows that any such proof system can be easily modified to yield a checkable 
code. 

In light of Arora's results, we feel that the best hope for finding an alternative construc- 
tion of holographic proofs is to first try to find a direct construction of checkable codes. 
One possible way of doing this would be to develop a carefully controlled construction of 
expander codes in which there is high redundancy among the constraints. We know that it 
is possible to add a slight amount of redundancy to the constraints, but we do not know 
how to achieve a constant factor of redundancy. Another advantage of adding redundancy 
to the constraints is that this would increase the rate of the codes without affecting their 
error-correction ability. Thus, we feel that the problems of constructing checkable expander 
codes and better expander codes are intertwined with the problem of finding expander codes 
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with highly redundant constraints. 
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